Educause Security Discussion mailing list archives
Re: Password change *recommended* -- RESULTS?
From: Bob Bayn <bob.bayn () USU EDU>
Date: Wed, 16 Apr 2014 14:12:08 +0000
OK, but whether the password change interval is the recommended 90 day (which suggests an average time to expiry of 45
days) or our miserable, but user-appreciated 365 days, that still leaves the bad guys a typical window of weeks to
months to use any password they obtained via the bug.
This is like the "fight" I continually have with some of the web form service providers used by phishers. Some take a
day or so to act on my abuse reports while a few respond in minutes. Which ones continue to be successfully used by
phishers?
Bob Bayn SER 301 (435)797-2396 IT Security Team
Office of Information Technology, Utah State University
Do you know the "Skeptical Hover Technique" and
how to tell where a web link really goes? See:
https://it.usu.edu/computer-security/computer-security-threats/articleID=23737
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Jones, Dan J.
[djjones () WPI EDU]
Sent: Wednesday, April 16, 2014 7:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password change *recommended* -- RESULTS?
In a way, the HeartBleed bug is a cause celebre for password expiry. Instead of incurring the risk of service
disruptions around a forced password change, and assuming people never voluntarily change passwords, you can just allow
the small risk of passwords being grabbed to diminish over the course of the next PW change interval.
___________________________
Dan Jones
Information Security Analyst
Worcester Polytechnic Institute
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of
Pedersen, Krystal
Sent: Wednesday, April 16, 2014 8:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password change *recommended* -- RESULTS?
Hello Everyone – I was looking to get an idea as to how successful a recommended password change broadcast is (to the
entire school population)? Perhaps a percentage, such as -- last time we sent a broadcast out recommended a password
change, with instructions on how to change your password, less than 1% of passwords were actually changed?
Thanks!
Krystal Pedersen, CISA
Information Technology<http://inside.umassmed.edu/is/index.aspx>
Information Security, Risk & Compliance Analyst
krystal.pedersen () umassmed edu<mailto:krystal.pedersen () umassmed edu>
Current thread:
- Re: Password change *recommended* -- RESULTS?, (continued)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Will Froning (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 23)
- Re: Password change *recommended* -- RESULTS? Mike Cunningham (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 23)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 16)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)
- Re: Password change *recommended* -- RESULTS? Bob Bayn (Apr 23)
- Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 16)
- Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
- Re: Password change *recommended* -- RESULTS? Mally Mclane (Apr 16)
- Re: Password change *recommended* -- RESULTS? Ken Connelly (Apr 16)
- Re: Password change *recommended* -- RESULTS? Ken Connelly (Apr 23)