[geeks] Mandatory password changes

Charles Shannon Hendrix shannon at widomaker.com
Sun Dec 10 11:59:06 CST 2006 

Sun, 10 Dec 2006 @ 09:11 -0500, John Francini said:

> In a corporate setting, I can see requiring frequent password 
> changes, because nearly everything an employee can access with a 
> password is information that belongs to the company, and corporate IT 
> needs to be able to protect it as they see fit.  

Unfortunately, frequent password changers *ABSOLUTELY DO NOT* help
security. In fact, it usually reduces it.

The more frequently the employee has to change passwords, the weaker
they will be, and/or the more other security problems will occur.

It's a classic example of wrong thinking, like throwing money or brute
force at problems.

> A good analogy here 
> would be to consider the password the same as a key to (physical) 
> secured areas where corporate assets are kept. 

Exactly! Corporations very, very rarely change keys, and a huge part of
the reason is because it would reduce security.

The more frequently you change keys of any time, the more reliable and
painless the procedure must be, or you reduce security.

> In a University or public setting, the rules should be entirely       
> different. Here, the only information you can access is either your   
> own or that which the school keeps on your behalf.                    

Students who cannot share passwords will simply login for each other and
share them that way, since they usually hang out together anyway.

Still, a school is often targeted by lawsuits, so they are in the
position of occasionally having to protect themselves from stupidity.

I just doubt wether or not this will truly increase their security, or
reduce their liability.

> This means that, yes, if you share your password with someone else and
> they then violate that trust (by doing nasty stuff like dropping you
> from classes, dropping you from the University, etc.), then that's
> your problem for having given them access in the first place.  

This is really an application design problem.

> The physical analogy here would be giving another student the key
> to your dorm room, off-campus apartment, etc., and discovering that
> the other student trashed the place. This is your problem for having
> misplaced your trust.

...and the schools problem in having to do repairs to the building.

-- 
shannon "AT" widomaker.com -- [4649 5920 4320 204e 4452 5420 5348 5920 4820
2056 2054 434d 2048 4d54 2045 204e 5259 4820 444e 0a53]

More information about the geeks mailing list