[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?

Stephen John Smoogen smooge at unm.edu
Mon May 7 18:53:59 GMT 2007


Valdis.Kletnieks at vt.edu wrote:
> On Mon, 07 May 2007 10:28:00 PDT, Karyn Williams said:
>> Considering that almost all cracks are being done remotely, Post-It notes
>> seem to be the least of our worries.
> 
> Alternate interpretation:
> 
> Your security systems correctly notice a logon from Zanzibar or similar
> remote location, to a userid that properly should logon only from campus.
> 
> Your security system totally fails to flag a Bad Guy(TM) who logs onto
> such a userid from on campus, after they snag the password from the Post-It
> or shoulder-surfing.
> 
> Quick test - if a userid logged on from a location 3 cubicles over from the
> user's assigned offfice area, would you notice/flag it?
> 

And how many organizations have a culture that would think that was
important to flag/care about? Most universities wouldn't worry about it
even if it showed up in 2 countries at once... until some research paper
gets 'scooped', funding is lost, or a lawsuit is launched. Many
corporations are in the same boat.. as the idea of how interconnected
and vulnerable computers are is overwhelming and easier to consider
'Somebody Else's Problem'.

-- 
Stephen Smoogen -- ITS/Linux Administrator
  MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
  Phone: (505) 277-7343  Email: smooge at unm.edu
 How far that little candle throws his beams! So shines a good deed
 in a naughty world. = Shakespeare. "The Merchant of Venice"


More information about the unisog mailing list