"Michael A. Peters" wrote:
I have never understood this. If I have a good, strong password that nobody knows, how is changing it to another one an improvement over what I already have?
I agree with you.
For user accounts, changing one strong password for another gains you nothing, and may cause people to start writing things down, or choosing trivial passwords which still meet the password strength criteria, or whatever, actually weakening security.
However, if you have admins who come into or leave employment, changing privileged account passwords (read: root or equiv) is a necessary activity.
Cheers,
Dave Thompson UW-Madison
David Thompson wrote:
"Michael A. Peters" wrote:
I have never understood this. If I have a good, strong password that nobody knows, how is changing it to another one an improvement over what I already have?
I agree with you.
For user accounts, changing one strong password for another gains you nothing, and may cause people to start writing things down, or choosing trivial passwords which still meet the password strength criteria, or whatever, actually weakening security.
However, if you have admins who come into or leave employment, changing privileged account passwords (read: root or equiv) is a necessary activity.
I disagree with this too, changing one strong password for another gains you plenty if someone has compromised the initial one.
The purpose of changing strong passwords is so that if someone has been fortunate enough to use some kind of method to get a password, they loose access again after the new password change and have to start over at the beginning to get back in.
This gains you plenty if someone who is unauthorized losses access.
If you are dealing with regular users, Bill will give Ted a password for one item when Bill goes on vacation since it is much easier than getting the IT weenies to change the access that Ted has ... besides he only needs to login one time while Bill is on vacation. However, if Bill never has to change his password then Ted has Bill's access forever.
Then of course there is the brute force guessing, etc.
Changing passwords at regular intervals is more secure than keeping the same passwords.
on 1/29/2008 10:41 AM Johnny Hughes spake the following:
David Thompson wrote:
"Michael A. Peters" wrote:
I have never understood this. If I have a good, strong password that nobody knows, how is changing it to another one an improvement over what I already have?
I agree with you.
For user accounts, changing one strong password for another gains you nothing, and may cause people to start writing things down, or choosing trivial passwords which still meet the password strength criteria, or whatever, actually weakening security.
However, if you have admins who come into or leave employment, changing privileged account passwords (read: root or equiv) is a necessary activity.
I disagree with this too, changing one strong password for another gains you plenty if someone has compromised the initial one.
The purpose of changing strong passwords is so that if someone has been fortunate enough to use some kind of method to get a password, they loose access again after the new password change and have to start over at the beginning to get back in.
This gains you plenty if someone who is unauthorized losses access.
If you are dealing with regular users, Bill will give Ted a password for one item when Bill goes on vacation since it is much easier than getting the IT weenies to change the access that Ted has ... besides he only needs to login one time while Bill is on vacation. However, if Bill never has to change his password then Ted has Bill's access forever.
Then of course there is the brute force guessing, etc.
Changing passwords at regular intervals is more secure than keeping the same passwords.
If I ever need to give root access to somebody else, I change the password "before" I give it out, and change it again after. Just in case I got lazy and used it somewhere else. Sometimes you get busy or just plain forget.
-
David Thompson -
Johnny Hughes -
Scott Silva