Re: Effectiveness of Forced Password Changing
From: david20@alpha1.mdx.ac.ukDate: 05/01/02
- Next message: George B. Magklaras: "Re: Intrusion Detection Systems"
- Previous message: Raghu: "siteminder cookies problem"
- In reply to: Liam: "Re: Effectiveness of Forced Password Changing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: david20@alpha1.mdx.ac.uk Date: Wed, 1 May 2002 13:58:25 +0000 (UTC)
In article <ksmz8.56361$%s3.22466205@typhoon.ne.ipsvc.net>, "Liam" <l-i-a-m-g-r-a-n-t@attbi.com> writes:
>Sorry, no studies to point to. However, if mandatory changes are enforced,
>both maximum and minimum life spans need to be set and a history size (1 <
>password life < 90 days, no reuse of last 10 passwords) this prevents people
>from reusing the same two passwords over and over.
Using a minimum life span is a bad idea. (User changes his password and
immediately realises someone was looking over his shoulder as he changed it
- he's now stuck with the disclosed password for whatever the minimum password
lifetime is). Better to not have a minimum password lifetime but to use the
history list to prevent him reusing a fairly large number of old passwords
eg 50).
David Webb
VMS and Unix team leader
CCSS
Middlesex University
>If this policy is
>implemented, along with strong password checking (preferably) a strong
>education program is recommended, covering why passwords need to be
>protected, how to choose a strong password, how to remember a password, how
>to write down reminders (not the passwords) and how to protect them. Then
>make it easier to request a password reset without opening a social
>engineering security hole.
>
>Every time I saw mandatory changes effectively implemented, the calls to the
>help desk increased. Gotta make sure the right person requests and receives
>new passwords.
>
>Good luck
>Liam
>
>"Al Spohn" <spohn@mayo.edu> wrote in message
>news:a9hnsp$s4a$1@tribune.mayo.edu...
>> Our organization is on the brink of mandating the changing of passwords
>> every 90 days. In my former life in military intelligence, we found that
>> physical security was by far our biggest concern, and that the effect of
>> forcing people to change their password resulted in a proliferation of
>> passwords on yellow stickies under (or sometimes even on top of) desks.
>For
>> every relatively sophisticated "hack" there were probably about 1000
>> physical security lapses similar to what I described above.
>>
>> Is anyone aware of any research that ties mandatory password refreshing
>with
>> an increase in physical security risk? My impression is that mandatory
>> password changing, while oftentimes applicable, tends to be a knee-jerk
>> security countermeasure with largely unexplored physical security
>> ramifications.
>>
>> Thanks in advance for any light that can be shed on this topic.
>>
>> - Al
>>
>>
>
>
- Next message: George B. Magklaras: "Re: Intrusion Detection Systems"
- Previous message: Raghu: "siteminder cookies problem"
- In reply to: Liam: "Re: Effectiveness of Forced Password Changing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
