[unisog] Anyone have a citation for an academic research studyonwhether mandatory password changes increase security?

Karyn Williams karyn at calarts.edu
Mon May 7 19:30:11 GMT 2007

At 02:07 PM 5/7/07 -0400, Valdis.Kletnieks at vt.edu wrote:
>On Mon, 07 May 2007 10:28:00 PDT, Karyn Williams said:
>> Considering that almost all cracks are being done remotely, Post-It notes
>> seem to be the least of our worries.
>Alternate interpretation:
>Your security systems correctly notice a logon from Zanzibar or similar
>remote location, to a userid that properly should logon only from campus.
>Your security system totally fails to flag a Bad Guy(TM) who logs onto
>such a userid from on campus, after they snag the password from the Post-It
>or shoulder-surfing.

>Quick test - if a userid logged on from a location 3 cubicles over from the
>user's assigned offfice area, would you notice/flag it?


We have staff, faculty, and students who may well login from Zanzibar on
Sunday and from on campus on Tuesday. Actually Korea might be more likely.
As well they may login from multiple computers in the same day on campus.
Many students have two personal computers, one in their dorm room, one in
their studio. 


Karyn Williams
Network Services Manager
California Institute of the Arts
karyn at calarts.edu

More information about the unisog mailing list