Showing posts with label Expiration. Show all posts
Showing posts with label Expiration. Show all posts

Thursday, September 27, 2012

Password Expiration

One common bit of advice with respect to security is to require frequent password changes.  This "best practice" has persisted for decades despite some prominent criticism.  But, is password expiration actually helpful or not?

Are there benefits?

Password expiration has a negligible effect on limiting or preventing malicious behavior.  The ability to steal passwords often implies privileged access to your systems or network.  If the attacker has administrator rights, access to the password database or the ability to sniff traffic on your network, he can install a backdoor or continuously steal passwords in order to avoid the expiration window.  That’s assuming he even needs continued access to accomplish his goal.  If the attacker only needs short-term access, which is often the case, password expiration is irrelevant.

Read more »
at 6 comments:
Labels: , , ,
Subscribe to: Posts (Atom)

Understanding Scope in Go

As per my New Year's resolution, I've been learning to program in Go and reading  The Go Programming Language .   On page 141 of the...

  • How big is 2**128?
    Most cryptographic algorithms deal with numbers that are 128 bits or larger.   A 128-bit number has 2 128 possible values, but how big ...
  • Passwords Matter
    This is in response to a Tenable blog post " Do Passwords Matter? "  I have several issues with the post that I address here. Pa...