RE: please don't change your password!

ys is generally better than 120 days, and so on. John From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, April 16, 2010 3:47 PM To: NT System Admin Issues Subject: Re: please don't change your password! Again, how much risk are you mitigating in 30 days vs 60? (Or 15 vs 30-45?

RE: please don't change your password!

ience; low cost. Pick two... *** Charlie Kaiser charl...@golden-eagle.org Kingman, AZ *** > -Original Message- > From: Andrew S. Baker [mailto:asbz...@gmail.com] > Sent: Friday, April 16, 2010 12:47 PM > To: NT System Admin Issues &g

Re: please don't change your password!

** > Charlie Kaiser > charl...@golden-eagle.org > Kingman, AZ > *** > > > -Original Message- > > From: Andrew S. Baker [mailto:asbz...@gmail.com] > > Sent: Friday, April 16, 2010 10:05 AM > > To: NT System Admin Issues >

RE: please don't change your password!

ssues Subject: Re: please don't change your password! The paper on which the article is based is likely very flawed. For instance, it assumes that breaches conform to some sort of "average" cost, which is almost certainly not the case. Either you don't get hacked, and therefore don&

Re: please don't change your password!

On Thu, Apr 15, 2010 at 13:37, Brian Clark wrote: > After a long week doing a SBS migration I didn't know how to take this > article and needed to share it!! > > http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=1 > > > Brian The paper on which t

RE: please don't change your password!

*** > -Original Message- > From: Andrew S. Baker [mailto:asbz...@gmail.com] > Sent: Friday, April 16, 2010 10:05 AM > To: NT System Admin Issues > Subject: Re: please don't change your password! > Almost every bad-guy is going to attempt to create a ba

Re: please don't change your password!

w that we’re adhering to the recommendations of the GAO and > the Florida Auditor General’s office. > > > > > > John > > > > > > > > *From:* Andrew S. Baker [mailto:asbz...@gmail.com] > *Sent:* Friday, April 16, 2010 1:05 PM > > *To:* NT System Adm

Re: please don't change your password!

LOL -ASB: http://XeeSM.com/AndrewBaker On Fri, Apr 16, 2010 at 1:35 PM, Angus Scott-Fleming wrote: > On 15 Apr 2010 at 21:51, Kurt Buff wrote: > > > 2) Long passphrases are considered by some to be not much better than > > relatively short passwords. The reasoning is thus: each word can be > >

RE: please don't change your password!

. We're probably going to do better in court if we show that we're adhering to the recommendations of the GAO and the Florida Auditor General's office. John From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, April 16, 2010 1:05 PM To: NT System Admin Issues Subject: Re

Re: please don't change your password!

On 15 Apr 2010 at 21:51, Kurt Buff wrote: > 2) Long passphrases are considered by some to be not much better than > relatively short passwords. The reasoning is thus: each word can be > considered a token, and the number of tokens is usually fairly small - > less than the number of letters in a l

Re: please don't change your password!

; > > > John > > > > > > > > *From:* Andrew S. Baker [mailto:asbz...@gmail.com] > *Sent:* Friday, April 16, 2010 10:49 AM > > *To:* NT System Admin Issues > *Subject:* Re: please don't change your password! > > > > Okay, let's look at

Re: please don't change your password!

rmation, I wouldn’t. > > > > To reduce password reset requests here, we bought myPassword from > Namescape. Works great. > > > > > > > > John > > > > > > > > *From:* Andrew S. Baker [mailto:asbz...@gmail.com] > *Sent:* Friday, April 16,

Re: please don't change your password!

> > > *From:* Andrew S. Baker [mailto:asbz...@gmail.com] > *Sent:* Friday, April 16, 2010 10:49 AM > > *To:* NT System Admin Issues > *Subject:* Re: please don't change your password! > > > > Okay, let's look at it this way: > > > > Let's say th

RE: please don't change your password!

+1 for self-service password reset tools +2 for myPassword Dave From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, April 16, 2010 8:07 AM To: NT System Admin Issues Subject: RE: please don't change your password! If an unauthorized person used my bank card P

RE: please don't change your password!

Baker [mailto:asbz...@gmail.com] Sent: Friday, April 16, 2010 10:56 AM To: NT System Admin Issues Subject: Re: please don't change your password! Changes of 2 or 3 times a year are fine. How often do you change the pin on your bank/debit/credit card? Password resets constitute the greatest consumpti

RE: please don't change your password!

etwork passwords. And personally, I don't find 60 days to be egregious. John From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, April 16, 2010 10:49 AM To: NT System Admin Issues Subject: Re: please don't change your password! Okay, let's look at it this way: Le

Re: please don't change your password!

t; wrote: > Is your position that passwords should never be changed? > > > > > > > > > > *From:* Malcolm Reitz [mailto:malcolm.re...@live.com] > *Sent:* Friday, April 16, 2010 10:25 AM > > *To:* NT System Admin Issues > *Subject:* RE: please don'

Re: please don't change your password!

> > > > > > > > John > > > > > > > > > > > > *From:* Andrew S. Baker [mailto:asbz...@gmail.com] > *Sent:* Friday, April 16, 2010 10:14 AM > > *To:* NT System Admin Issues > *Subject:* Re: please don't change your password

RE: please don't change your password!

Is your position that passwords should never be changed? From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Friday, April 16, 2010 10:25 AM To: NT System Admin Issues Subject: RE: please don't change your password! Passwords of sufficient complexity mitigate the threat of brute-

RE: please don't change your password!

open. -Malcolm From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, April 16, 2010 09:14 To: NT System Admin Issues Subject: Re: please don't change your password! This fails to consider the situation where a user's password is compromised and the bad guy acce

RE: please don't change your password!

easily be changed with a bit of training. John From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, April 16, 2010 10:14 AM To: NT System Admin Issues Subject: Re: please don't change your password! This fails to consider the situation where a user's password is comp

RE: please don't change your password!

-Malcolm From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, April 16, 2010 07:52 To: NT System Admin Issues Subject: RE: please don't change your password! There's a flaw in the logic. The Globe article states: " . . . [U]sers are admon

Re: please don't change your password!

*This fails to consider the situation where a user’s password is compromised > and the bad guy accesses the user’s information on an ongoing basis. For > instance, monitoring a folder that contains files with information about > patent filings to see when new files show up, or logging into OWA to

RE: please don't change your password!

2:44 AM To: NT System Admin Issues Subject: Re: please don't change your password! The three laws of thermodynamics: 1) You can't win 2) You can't break even 3) You can't get out of the game Heh. On Thu, Apr 15, 2010 at 14:36, Ben Scott wrote: > On Thu, Apr 15, 2010

RE: please don't change your password!

There's a flaw in the logic. The Globe article states: " . . . [U]sers are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ i

Re: please don't change your password!

us/library/cc512613.aspx > > > > > > > > > > > > From: David Lum [mailto:david@nwea.org] > > Sent: Thursday, April 15, 2010 4:49 PM > > To: NT System Admin Issues > > Subject: RE: please don't change your password! > > > > >

Re: please don't change your password!

15, 2010 4:49 PM > To: NT System Admin Issues > Subject: RE: please don't change your password! > > > > Fortunately I have more than 60 days for each password (errr, passphrase > Sherry!). What gets screwy is when I hop from network to network since I > don’t use the same ones

Re: please don't change your password!

9764 > > > > From: Brian Clark [mailto:brianclark2...@googlemail.com] > Sent: Thursday, April 15, 2010 2:09 PM > To: NT System Admin Issues > Subject: Re: please don't change your password! > > > > Funny ones at that! Question is how often do you have to re enter

Re: please don't change your password!

The three laws of thermodynamics: 1) You can't win 2) You can't break even 3) You can't get out of the game Heh. On Thu, Apr 15, 2010 at 14:36, Ben Scott wrote: > On Thu, Apr 15, 2010 at 4:37 PM, Brian Clark > wrote: >> After a long week doing a SBS migration I didn't know how to take this >>

RE: please don't change your password!

To: NT System Admin Issues Subject: RE: please don't change your password! Fortunately I have more than 60 days for each password (errr, passphrase Sherry!). What gets screwy is when I hop from network to network since I don't use the same ones everywhere. My first long passwords

RE: please don't change your password!

Thanks for the credit John! From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Thursday, April 15, 2010 1:50 PM To: NT System Admin Issues Subject: Re: please don't change your password! Although this research isn't the first to suggest it... Courtesy of David Lum 11/

RE: please don't change your password!

ER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Brian Clark [mailto:brianclark2...@googlemail.com] Sent: Thursday, April 15, 2010 2:09 PM To: NT System Admin Issues Subject: Re: please don't change your password! Funny ones at that! Question is how often do y

Re: please don't change your password!

On Thu, Apr 15, 2010 at 4:37 PM, Brian Clark wrote: > After a long week doing a SBS migration I didn't know how to take this > article and needed to share it!! Long winded. Slightly sensationalist. For all he beaks about security people not having hard data to back up their advice, he doesn't

RE: please don't change your password!

This is all based on a 2007 study of website access accounts (see link). Below is part of the response I sent my CIO when he forwarded it to me earlier today... The person who conducted the study is quoted as saying..." Start with bullet-proof

Re: please don't change your password!

>> >> The person watching me really can’t believe how long this password is. >> >> >> >> Etc… >> >> >> >> I love how big people eyes get when they see my tying in my 27 character >> Windows password, I HATE the systems that limit me to

Re: please don't change your password!

gt; > > > > > *From:* Jon Harris [mailto:jk.har...@gmail.com] > *Sent:* Thursday, April 15, 2010 1:45 PM > *To:* NT System Admin Issues > *Subject:* Re: please don't change your password! > > > > Sounds like someone trying to generate reader interest and FUD. A

RE: please don't change your password!

it me to 15 or less. Dave From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Thursday, April 15, 2010 1:45 PM To: NT System Admin Issues Subject: Re: please don't change your password! Sounds like someone trying to generate reader interest and FUD. A quick search seems he likes controversia

Re: please don't change your password!

Please don't stop the music! -- ME2 On Thu, Apr 15, 2010 at 1:37 PM, Brian Clark wrote: > After a long week doing a SBS migration I didn't know how to take this > article and needed to share it!! > > > http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_passwor

Re: please don't change your password!

Although this research isn't the first to suggest it... Courtesy of David Lum 11/2/09 http://isc.sans.org/diary.html?storyid=7510 Thoughts, comments? Oh and do read the comments. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 On Thu,

Re: please don't change your password!

Sounds like someone trying to generate reader interest and FUD. A quick search seems he likes controversial subjects/items. Since passwords are the defacto standard for most Internet sites for protection of customers. I see no reason for someone to keep the same password for ever. Unless you ar