[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?
feenberg at nber.org
Mon May 7 12:25:42 GMT 2007
On Sun, 6 May 2007, Ali, Saqib wrote:
> May I ask why you are looking for such a study? Is it to make a case
> in favor for periodic password changes?
> Static passwords just don't work anymore. Whether you change them on a
> weekly basis or not. The era of providing security using static
> passwords has ended.
> You should look into One time password tokens. They used to be
> expensive (>$65) but not anymore. Entrust has the OTP tokens for $5.
I saw that page some weeks ago, but there isn't any any indication of what
the associated software might cost, so I dismissed it without further
investigation. Perhaps it was unfair of me, but I assumed that the $5
token required a $50,000 server software license. Has anyone here made
inquiries? Can anyone say what it might actually cost to implement such a
system on a Linux or FreeBSD system?
It is possible the $5 each offer is genuine, as the specification shows it
supports "open authentication (Oath)", but it would surprise me if that
meant free as in beer.
I note that in the small print is does solicit "pre-orders" by email, but
they are not shipping yet.
> P.S. I am in no way associated with entrust.
> On 5/6/07, Gary Dobbins <dobbins at nd.edu> wrote:
More information about the unisog