[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?

Daniel Feenberg feenberg at nber.org
Mon May 7 12:25:42 GMT 2007

On Sun, 6 May 2007, Ali, Saqib wrote:

> Gary,
> May I ask why you are looking for such a study? Is it to make a case
> in favor for periodic password changes?
> Static passwords just don't work anymore. Whether you change them on a
> weekly basis or not. The era of providing security using static
> passwords has ended.
> You should look into One time password tokens. They used to be
> expensive (>$65) but not anymore. Entrust has the OTP tokens for $5.
> See:
> http://www.entrust.com/strong-authentication/identityguard/tokens/index.htm

I saw that page some weeks ago, but there isn't any any indication of what 
the associated software might cost, so I dismissed it without further 
investigation. Perhaps it was unfair of me, but I assumed that the $5 
token required a $50,000 server software license. Has anyone here made 
inquiries? Can anyone say what it might actually cost to implement such a 
system on a Linux or FreeBSD system?

It is possible the $5 each offer is genuine, as the specification shows it 
supports "open authentication (Oath)", but it would surprise me if that 
meant free as in beer.

I note that in the small print is does solicit "pre-orders" by email, but 
they are not shipping yet.

Daniel Feenberg

> saqib
> http://www.full-disk-encryption.net
> P.S. I am in no way associated with entrust.
> On 5/6/07, Gary Dobbins <dobbins at nd.edu> wrote:

More information about the unisog mailing list