*>>**If an unauthorized person used my bank card PIN to steal money, I would know. If an unauthorized person used my network password to steal information, I wouldn’t.*
Then that's the problem you need to resolve. Changing the password in 60 days won't solve that problem at all. -ASB: http://XeeSM.com/AndrewBaker On Fri, Apr 16, 2010 at 11:07 AM, John Hornbuckle < [email protected]> wrote: > If an unauthorized person used my bank card PIN to steal money, I would > know. If an unauthorized person used my network password to steal > information, I wouldn’t. > > > > To reduce password reset requests here, we bought myPassword from > Namescape. Works great. > > > > > > > > John > > > > > > > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Friday, April 16, 2010 10:56 AM > > *To:* NT System Admin Issues > *Subject:* Re: please don't change your password! > > > > Changes of 2 or 3 times a year are fine. > > > > How often do you change the pin on your bank/debit/credit card? > > > > Password resets constitute the greatest consumption of time for most > helpdesks, and an overall drain on productivity when people can't access > what they need in a timely fashion because they're managing > 1,000,000,000,000 accounts. Deliberately introducing such changes to an > environment when the safety factor is negligible at best for the threats > being faced, is counterproductive. > > > > What companies need to do is make sure that no shared passwords are in use, > and that when employees leave, any passwords associated with them are > disabled. *This* would address the largest vector of re-entry to a network > using legitimate credentials -- ex-employees. > > > > > -ASB: http://XeeSM.com/AndrewBaker > > > On Fri, Apr 16, 2010 at 10:40 AM, John Hornbuckle < > [email protected]> wrote: > > Is your position that passwords should never be changed? > > > > > > > > > > *From:* Malcolm Reitz [mailto:[email protected]] > *Sent:* Friday, April 16, 2010 10:25 AM > > > *To:* NT System Admin Issues > > *Subject:* RE: please don't change your password! > > > > Passwords of sufficient complexity mitigate the threat of brute-force > attacks without having to be changed. And, if you know a user’s password > this month, you are probably 95% of the way to knowing his password next > month (change a digit at the end, pick the next kid’s name, etc.). > > > > -Malcolm > > > > *From:* John Hornbuckle [mailto:[email protected]] > > *Sent:* Friday, April 16, 2010 07:52 > > *To:* NT System Admin Issues > > *Subject:* RE: please don't change your password! > > > > There’s a flaw in the logic. > > > > The Globe article states: > > > > “ . . . [U]sers are admonished to change passwords regularly, but redoing > them is not an effective preventive step against online infiltration unless > the cyber attacker (or evil colleague) who steals your sign-in sequence > waits to employ it until after you’ve switched to a new one, Herley wrote. > That’s about as likely as a crook lifting a house key and then waiting until > the lock is changed before sticking it in the door.” > > > > This fails to consider the situation where a user’s password is compromised > and the bad guy accesses the user’s information on an ongoing basis. For > instance, monitoring a folder that contains files with information about > patent filings to see when new files show up, or logging into OWA to keep > an eye on e-mail messages. The unauthorized access will end once the > password is changed (assuming a variety of other factors, such as the bad > guy not getting the new password, etc.), and thus requiring regular password > changes can be of value. > > > > Similarly, regular password changes can mitigate the risk from brute-force > attacks. If a password has to be changed every 60 days, for instance, the > bad guy will only have 60 days to try to determine the user’s password. This > is generally considered to be better than the bad guy having an infinite > amount of time to try to determine it. > > > > > > > > John Hornbuckle > > MIS Department > > Taylor County School District > > www.taylor.k12.fl.us > > > > > > > > > > > > *From:* Brian Clark [mailto:[email protected]] > *Sent:* Thursday, April 15, 2010 4:38 PM > *To:* NT System Admin Issues > *Subject:* please don't change your password! > > > > After a long week doing a SBS migration I didn't know how to take this > article and needed to share it!! > > > > > http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=1 > > > > > > Brian > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
