On 2/24/2014 6:06 AM, Jean-Pierre van Melis <j...@mirmana.com> wrote: > These people had these passwords for a long time (which in itself is wrong, > of course).
I beg to differ... The most important thing to do is require *strong* passwords. The second most important thing to do is educate users on how phishing attacks work, and that they will *never* get an email with a link in it asking them to change or 'verify' their password or identity. We assign all email passwords (strong, 15 random characters, users cannot change them), and have done so for the last 12+ years. Users (we generally have anywhere from 50-70 active email accounts) that have been here that long have had the exact same password that entire time. The only time I change someone's password is when they leave the company. The only other time I would ever change it is if their account was hacked, but thankfully, knock on wood, we've yet to have this happen. No, I'm not under the false impression that we are immune to it, but the fact is, it simply hasn't happened yet. All frequent forced changing of passwords does is increase (sometimes dramatically, depending on the password requirements - the stronger the requirements, the more likely) the likelihood that users will write them down on post-it notes and stick them to their monitors. -- Best regards, Charles ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
