[153622] in North American Network Operators' Group
Re: Dear Linkedin,
daemon@ATHENA.MIT.EDU (valdis.kletnieks@vt.edu)
Fri Jun 8 21:31:18 2012
To: Hal Murray <hmurray@megapathdsl.net>
In-Reply-To: Your message of "Fri, 08 Jun 2012 15:33:29 -0700."
<20120608223329.4683E80003B@ip-64-139-1-69.sjc.megapath.net>
From: valdis.kletnieks@vt.edu
Date: Fri, 08 Jun 2012 21:30:00 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1339205400_2046P
Content-Type: text/plain; charset=us-ascii
On Fri, 08 Jun 2012 15:33:29 -0700, Hal Murray said:
> > Yes; of course if most of those accounts are moribund and unused then you
> > don't need to change them so often, but the passwords you use frequently
> > should be changed at regular intervals.
>
> > It's pretty commonsensical once the threat is understood.
>
> Does anybody have a good URL explaining that idea? It's been kicking around
> for many years. I've never seen a convincing writeup.
Gene Spafford did a nice analysis of the *contrary* a while ago, that changing
and expiring passwords is essentially useless against the current threat model
(he was writing about mandatory changes, but all the arguments hold up just
fine for "should be changed" as well):
http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/
--==_Exmh_1339205400_2046P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBT9KnGAdmEQWDXROgAQIv+xAAqP31fAfZ44ij0JXdkqHFHQBxSFqcSWx1
st3aKwLV4itFl2rRaM3ossak4uNtiXlfo5DR5Erb7eF7nl8pivAE5RZsVe8b+68K
3WS4tqaGq4JHoHmj5k8SVCrNN6b1UUeh+6ueSfvcI3hTxy7T16XruncU5Z363RB9
A8mBHNBdtjWk8sKQHq2sBlt5S9zAYZSB55IdWCkN2rQA0Qi/kjdDtOcFhL0piFAk
//9xaPO4iv+eBcySAdnchd3pmM8Xq9HxOnm1IWrc08WtU/V3Exe/ZpEvxagAmL5w
AaoXRImYo3Ytm5oyitS8vIgsJ5pretb90noLHYXlF1iyh4OPuTuEpFFEWZE+qVpa
Ih4Wuu1+kVEwnHhrAbtldbepGQFY7ZC8TagXcf5oOxQtKLcgj8kp7X/bu5EXLCpR
TU6h6DrVHpQG6YxDVCB99FpzFgVz+GdPQJ5RDSQ6qWFmgTJROjzZ+7tX/lhfDBhX
Zl+t6AOzG2Vzqmif1QWK2/EwuP/sPo0dlqnVLtLWWAh0j0ns9LddL4xiIhmcKB0+
H8TsrDiKR10FKmRuA9yuH+VacqokSrzcU6mpAs3QsQTTgr4AA+FIK1qs9u+ReRZL
4W1saK3gGcpelE95lk5+txcSMXLfkf3dKD6Md11m4zqaCWQ6PXZ5p6U6pE5pmv9X
uJbsdJ0nb3k=
=X3pY
-----END PGP SIGNATURE-----
--==_Exmh_1339205400_2046P--
