[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?

Clark Gaylord cgaylord at vt.edu
Wed May 9 03:44:56 GMT 2007

> Karyn Williams wrote:
>> We recently enabled a system to block the ssh brute force crack. Within 48
>> hours we had legit users blocked. I thought we had set up very generous
>> limits, 10 wrong attempts on a valid account before blocking, 2 wrong on a
>> non-existent account. Who'd have thunk that that many users don't even know
>> their login name ? It's a waste on systems open to users. 

All lockout methods become a dos. If you just enforce pacing of ssh 
sessions, you win.

Users tend to have enough of a clue that they can recognize the wisdom 
of the IT staff helping them choose a good password and the stupidity of 
the IT staff who think making them try to remember a different good 
password every month is a Good Thing.

When your users roll their eyes at you before you explain a security 
policy, it can be a teaching moment for them. When they roll their eyes 
*after* you explain it, it should be a teaching moment for you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070508/ab11df09/attachment.htm 

More information about the unisog mailing list