[unisog] Password policies

William Yang wyang at gcfn.net
Sun Apr 30 10:36:20 GMT 2006

Joseph Brennan wrote:
> Requiring frequent changes only pushes people to writing the passwords
> on sticky notes stuck to their monitors.  Is there any data to support
> the idea that changing every 3 months is better than changing every
> 3 decades?  If a stolen password hasn't been used in a few days, will
> it ever be used?

I think the better question to get data on is "what cost does it impose 
to change passwords every 3 months?"  I'm pretty sure TruSecure has data 
on that question in the corporate world, and the cost proposition for 
password support was suprisingly high.

Once you know what it costs, the next question is "what is the cost of 
dealing with a password breach on a user account."  "How effectively 
will quarterly changes prevent that cost from occurring?"

Is there sufficient value to justify the activity?

Password strength is a common point of entry... but, unfortunately, 
there are many cases where this approach just costs money without 
bringing value to the situation.  There's a big difference in the value 
proposition between protecting root/admin passwords with a strong 
policy, and protecting every unprivileged end-user's POP3 account.

William Yang
wyang at gcfn.net

More information about the unisog mailing list