[unisog] Anyone have a citation for an academic research study onwhether mandatory password changes increase security?

Karyn Williams karyn at calarts.edu
Wed May 9 17:43:45 GMT 2007


At 11:44 PM 5/8/07 -0400, Clark Gaylord wrote: 
>>>>

Karyn Williams wrote:
   
We recently enabled a system to block the ssh brute force crack. Within 48
hours we had legit users blocked. I thought we had set up very generous
limits, 10 wrong attempts on a valid account before blocking, 2 wrong on a
non-existent account. Who'd have thunk that that many users don't even know
their login name ? It's a waste on systems open to users. 
     
All lockout methods become a dos. If you just enforce pacing of ssh
sessions, you win.

Users tend to have enough of a clue that they can recognize the wisdom of
the IT staff helping them choose a good password and the stupidity of the
IT staff who think making them try to remember a different good password
every month is a Good Thing.

When your users roll their eyes at you before you explain a security
policy, it can be a teaching moment for them. When they roll their eyes
*after* you explain it, it should be a teaching moment for you.

--ckg
_______________________________________________ 
unisog mailing list 
unisog at lists.dshield.org 
https://lists.sans.org/mailman/listinfo/unisog
<<<<

You are correct. 

What rate do you (anyone) find to be workable for ssh ? Do you do it on the
host or a firewall and is there a reason in terms of performance for one
over the other ?
-- 

Karyn Williams
Network Services Manager
California Institute of the Arts
karyn at calarts.edu
http://www.calarts.edu/network


More information about the unisog mailing list