[unisog] Password policies

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Wed Apr 19 18:01:27 GMT 2006

On Wed, 19 Apr 2006 13:11:50 EDT, Joseph Brennan said:

> Requiring frequent changes only pushes people to writing the passwords
> on sticky notes stuck to their monitors.  Is there any data to support
> the idea that changing every 3 months is better than changing every
> 3 decades?  If a stolen password hasn't been used in a few days, will
> it ever be used?

Attached is a recent, very cogent posting by Gene Spafford on the Educause list
on this very topic. The bottom line is that the "force password changes" mantra
dates back 3 decades to a different environment with a different threat model....
-------------- next part --------------
An embedded message was scrubbed...
From: Gene Spafford <spaf at CERIAS.PURDUE.EDU>
Subject: Re: [SECURITY] Password Expiration
Date: Mon, 10 Apr 2006 22:25:39 -0400
Size: 10339
Url: http://www.dshield.org/pipermail/unisog/attachments/20060419/a9bbd57b/attachment-0001.eml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20060419/a9bbd57b/attachment-0001.bin

More information about the unisog mailing list