Understood, but the point being made by the SANS.org incident handler is that unless you are changing the password often, you're not really helping yourself be more secure. The window of time where the password is static is more than long enough to be brute-forced.
The likelihood is that the attacker will get in because the password is dumb (something you can somewhat control) or that they will enter via some variant of social engineering and get themselves elevated rights. *Think about it: *Of all the exploits that are in the wild today, how many of them rely on obtaining the user's password to be successful? How many of the millions of systems currently employed as members of botnets ended up there *because *their password was compromised? Are we adding any value beyond possible helpdesk statistics (from all the password resets immediately after a change cycle) by frequent password changes? *ASB *(My XeeSM Profile) <http://xeesm.com/AndrewBaker> *Providing Competitive Advantage through Effective IT Leadership* On Tue, Nov 3, 2009 at 5:16 PM, Jonathan Link <[email protected]>wrote: > My context is recycling passwords across different environments and I > neglected to mention that I do enforce a password history. > > Password age in that context will at least force a user to create a > different password, hopefully different from the one that is being used on > other sites the user frequents. It's an imperfect tool, but it's the only > tool I have. Education, in my experience hasn't been sufficient to > encourage users to not use the same password for multiple sites. > > On Tue, Nov 3, 2009 at 3:45 PM, Andrew S. Baker <[email protected]> wrote: > >> But how does password age help with your environment's security? >> >> (BTW, you can control recycling in a Windows environment through password >> history) >> >> *ASB *(My XeeSM Profile) <http://xeesm.com/AndrewBaker> >> *Providing Competitive Advantage through Effective IT Leadership* >> >> >> >> On Tue, Nov 3, 2009 at 3:13 PM, Jonathan Link >> <[email protected]>wrote: >> >>> If all environments were equally secure, had the same level of IT >>> controls, and I could ensure that my users don't recylce passwords from one >>> environment to the next, then yes, I'm all for this. But, I can't control >>> users or other environments, and the only tools I have (imperfect though >>> they may be) are password complexity and password age. Password complexity >>> is a necessity everywhere, if a user chooses to use it or not in >>> environments which don't require it then, so be it, but in our environment I >>> can ensure that. I can't control the recylcing, so the only tool I have >>> against that is the password age, which has another set of problems... >>> >>> -Jonathan >>> >>> On Mon, Nov 2, 2009 at 2:10 PM, Ben Scott <[email protected]> wrote: >>> >>>> On Mon, Nov 2, 2009 at 9:38 AM, David Lum <[email protected]> wrote: >>>> > Thoughts, comments? Oh and do read the comments. >>>> >>>> I've sometimes wondered if we wouldn't be better off enforcing (1) a >>>> very long minimum password length and (2) complexity checking that >>>> only filters stupid sequences. Thus, encouraging users to use >>>> non-trivial passphrases rather than passwords. >>>> >>>> Shook and Caesare sitting in a tree >>>> >>>> is going to be both hard to guess and easy to remember, while >>>> >>>> S5p$3xQ! >>>> >>>> is only hard to guess, and thus much more likely to be on a Post-It >>>> note. >>>> >>>> -- Ben >>>> >>>> >> >> >> >> >> > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
