[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?
cgaylord at vt.edu
Wed May 9 03:44:56 GMT 2007
> Karyn Williams wrote:
>> We recently enabled a system to block the ssh brute force crack. Within 48
>> hours we had legit users blocked. I thought we had set up very generous
>> limits, 10 wrong attempts on a valid account before blocking, 2 wrong on a
>> non-existent account. Who'd have thunk that that many users don't even know
>> their login name ? It's a waste on systems open to users.
All lockout methods become a dos. If you just enforce pacing of ssh
sessions, you win.
Users tend to have enough of a clue that they can recognize the wisdom
of the IT staff helping them choose a good password and the stupidity of
the IT staff who think making them try to remember a different good
password every month is a Good Thing.
When your users roll their eyes at you before you explain a security
policy, it can be a teaching moment for them. When they roll their eyes
*after* you explain it, it should be a teaching moment for you.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the unisog