[clug] [OT] all text passwords == secure?
steve jenkin
sjenkin at canb.auug.org.au
Tue Aug 28 18:52:09 MDT 2012
Scott and Sam are discussing workplace policies requiring people to
"frequently change your password".
The intent of the policy is sort-of commendable:
to limit the period that shared passwords work.
By 'shared', I include those that have been deliberately shared and
accidentally so - the 'social engineering' practice of copying passwords
from the post-it notes stuck to people's screens.
I've never been anywhere that's allowed me to pick a "strong" password
and keep it for an extended period. I can only remember one or two times
I've told someone my password: handing over when leaving a job.
Which is ironic.
Every place I've worked where they login with *systems* passwords,
rather than sudo+copy-in-the-safe, have never changed them...
Often, there'd be a Big Long List, the real Keys to the Kingdom, stored
digitally somewhere. If protected, it might be a password-protected
Excel spreadsheet.
Summary:
For most workplaces, the "forced password change" policy limits
password sharing, accidental or deliberate. Which prevents some of the
worst "old-time" problems of everyone knows the HR password, etc.
But I've never been convinced, nor seen a statistical analysis, that
rotating passwords provides any greater degree of security.
I guess that as a low-level annoyance, it keeps the issue of computer
security in the minds of the general workforce - not a bad thing.
Sam Couter wrote on 29/08/12 12:29 AM:
> Scott Ferguson <scott.ferguson.clug at gmail.com> wrote:
>> > Which is *not* a reason to change the policy - it's the reason why
>> > people should examine the cause of all those 'professionals' being
>> > unable to manage the most basic elements of their "profession" - access.
> There are many reasons, including that IT recommends password creation
> strategies that make passwords difficult to remember, which is the whole
> point of this discussion.
--
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA
sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
More information about the linux
mailing list