On 2013-10-13 4:07 PM, Martin Vaeth <[email protected]>
wrote:
Like passwords, these sequences should better not stay the same for
too long...
Forced changing of passwords (and I imagine the same can be said for
port-knocking sequences, which I've never implemented, but am intrigued
by, although I tend to avoid security-through-obscurity schemes)
periodically as a way to 'better security' is one of those myths that
just never seem to go away.
Enforce strong passwords and a policy that no one is to ever write a
password down and put it in any publicly accessible place, and educate
users how not to fall for phishing attacks, is the single most effective
way to keep things secure.
Then only change a password if/when an account is compromised.
This combined with intelligent rate-limiting (with
notifications/warnings to admins if/when a users account exceeds them)
is all you need.
In fact I go one step further... I assign passwords, and do not even
allow users to change them. I have always done this, and we have people
in this office that have had the same email password (on the same gentoo
server) for 12+ years.
I know that I'm probably the exception to this rule, and it is more luck
than anything else, but we have never had an email account hacked (knock
on wood).
I'm certainly not saying we are immune, but the claim that passwords
should be forcibly changed for no reason other than the passage of some
arbitrary amount of time is just plain dumb.
