[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon May 7 18:07:23 GMT 2007


On Mon, 07 May 2007 10:28:00 PDT, Karyn Williams said:
> Considering that almost all cracks are being done remotely, Post-It notes
> seem to be the least of our worries.

Alternate interpretation:

Your security systems correctly notice a logon from Zanzibar or similar
remote location, to a userid that properly should logon only from campus.

Your security system totally fails to flag a Bad Guy(TM) who logs onto
such a userid from on campus, after they snag the password from the Post-It
or shoulder-surfing.

Quick test - if a userid logged on from a location 3 cubicles over from the
user's assigned offfice area, would you notice/flag it?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070507/81f7b2bc/attachment.bin 


More information about the unisog mailing list