Changes of 2 or 3 times a year are fine. How often do you change the pin on your bank/debit/credit card?
Password resets constitute the greatest consumption of time for most helpdesks, and an overall drain on productivity when people can't access what they need in a timely fashion because they're managing 1,000,000,000,000 accounts. Deliberately introducing such changes to an environment when the safety factor is negligible at best for the threats being faced, is counterproductive. What companies need to do is make sure that no shared passwords are in use, and that when employees leave, any passwords associated with them are disabled. *This* would address the largest vector of re-entry to a network using legitimate credentials -- ex-employees. -ASB: http://XeeSM.com/AndrewBaker On Fri, Apr 16, 2010 at 10:40 AM, John Hornbuckle < john.hornbuc...@taylor.k12.fl.us> wrote: > Is your position that passwords should never be changed? > > > > > > > > > > *From:* Malcolm Reitz [mailto:malcolm.re...@live.com] > *Sent:* Friday, April 16, 2010 10:25 AM > > *To:* NT System Admin Issues > *Subject:* RE: please don't change your password! > > > > Passwords of sufficient complexity mitigate the threat of brute-force > attacks without having to be changed. And, if you know a user’s password > this month, you are probably 95% of the way to knowing his password next > month (change a digit at the end, pick the next kid’s name, etc.). > > > > -Malcolm > > > > *From:* John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] > *Sent:* Friday, April 16, 2010 07:52 > *To:* NT System Admin Issues > *Subject:* RE: please don't change your password! > > > > There’s a flaw in the logic. > > > > The Globe article states: > > > > “ . . . [U]sers are admonished to change passwords regularly, but redoing > them is not an effective preventive step against online infiltration unless > the cyber attacker (or evil colleague) who steals your sign-in sequence > waits to employ it until after you’ve switched to a new one, Herley wrote. > That’s about as likely as a crook lifting a house key and then waiting until > the lock is changed before sticking it in the door.” > > > > This fails to consider the situation where a user’s password is compromised > and the bad guy accesses the user’s information on an ongoing basis. For > instance, monitoring a folder that contains files with information about > patent filings to see when new files show up, or logging into OWA to keep > an eye on e-mail messages. The unauthorized access will end once the > password is changed (assuming a variety of other factors, such as the bad > guy not getting the new password, etc.), and thus requiring regular password > changes can be of value. > > > > Similarly, regular password changes can mitigate the risk from brute-force > attacks. If a password has to be changed every 60 days, for instance, the > bad guy will only have 60 days to try to determine the user’s password. This > is generally considered to be better than the bad guy having an infinite > amount of time to try to determine it. > > > > > > > > John Hornbuckle > > MIS Department > > Taylor County School District > > www.taylor.k12.fl.us > > > > > > > > > > > > *From:* Brian Clark [mailto:brianclark2...@googlemail.com] > *Sent:* Thursday, April 15, 2010 4:38 PM > *To:* NT System Admin Issues > *Subject:* please don't change your password! > > > > After a long week doing a SBS migration I didn't know how to take this > article and needed to share it!! > > > > > http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=1 > > > > > > Brian > > > > > > > > > > > > > > NOTICE: Florida has a broad public records law. Most written communications > to or from this entity are public records that will be disclosed to the > public and the media upon request. E-mail communications may be subject to > public disclosure. > > > > > > > > > > NOTICE: Florida has a broad public records law. Most written communications > to or from this entity are public records that will be disclosed to the > public and the media upon request. E-mail communications may be subject to > public disclosure. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
