[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?

Stephen John Smoogen smooge at unm.edu
Mon May 7 18:53:59 GMT 2007

Valdis.Kletnieks at vt.edu wrote:
> On Mon, 07 May 2007 10:28:00 PDT, Karyn Williams said:
>> Considering that almost all cracks are being done remotely, Post-It notes
>> seem to be the least of our worries.
> Alternate interpretation:
> Your security systems correctly notice a logon from Zanzibar or similar
> remote location, to a userid that properly should logon only from campus.
> Your security system totally fails to flag a Bad Guy(TM) who logs onto
> such a userid from on campus, after they snag the password from the Post-It
> or shoulder-surfing.
> Quick test - if a userid logged on from a location 3 cubicles over from the
> user's assigned offfice area, would you notice/flag it?

And how many organizations have a culture that would think that was
important to flag/care about? Most universities wouldn't worry about it
even if it showed up in 2 countries at once... until some research paper
gets 'scooped', funding is lost, or a lawsuit is launched. Many
corporations are in the same boat.. as the idea of how interconnected
and vulnerable computers are is overwhelming and easier to consider
'Somebody Else's Problem'.

Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-7343  Email: smooge at unm.edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"

More information about the unisog mailing list