[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?
michael.holstein at csuohio.edu
Mon May 7 12:50:28 GMT 2007
Drat .. fat-fingered it.
What I ment was ..
(and this says nothing of the many times we've all been into somebody's
office and seen the password on a post-it attached to the monitor).
2-factor auth you say? .. The same thing will happen with smartcards ..
we'll see them in the desk drawer, post-it attached.
That said, forcing changes does at least reduce the window that a
potential attacker has to brute-force the hashed password .. but then
again, I'm sure most of you have tried L0phtcrack against a domain and
watched as like >80% are found in under a day.
Michael Holstein CISSP GCIA
Cleveland State University
Michael Holstein wrote:
>> Anyone have a citation for an academic research study on whether
>> mandatory password expiration and changes increase security?
> The main problem with this is (as always) the human element.
> People will choose a sufficiently complex password to satisfy your
> filter, and then just get annoyed at changing it. eg:
> (and then)
More information about the unisog