On Nov 29, 2007, at 10:57 AM, Michael O'Keefe wrote:
I've never understood password aging.
If your system is so fragile that it cannot withstand users keeping
their passwords indefinitely, I'd be looking at the systems
fragility, not password rotation.
Passwords, like all data, eventually leaks out.
Previous exploitations of systems on UCSD's campus have come up to
6-12 months after a password was captured; a 3-month password
expiration policy would have prevented a good number of those "walk
in the front door" exploits with stolen credentials.
It's not crazy to think that there is lag time between capturing a
data stream that might contain credentials, and processing that
stream to pull the credentials out. If the person doing it is doing
it on a large number of hosts (hello, botnets), it can take even
longer before the information is correlated and put to use to gain
access to those systems.
Password aging is just another layer in the security cake, even if it
primarily makes up for shortcomings in other places.
Gregory
--
Gregory K. Ruiz-Ade <[EMAIL PROTECTED]>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
