All this talk of password expiration, while an important issue and a healthy debate, can skew our perspective. I think most of us would agree that 95% or more of the systems compromised these days are through exploits, not brute-force password attacks. Consider the recent Backup Exec buffer overflow -- I recall several on campus were compromised VERY shortly after the vulnerability was announced. Successfully implementing a timely patch management system (WSUS, SMS etc.) and firewalls are far more critical than expiring passwords (not that I'm advocating ignoring password policy). If that 95% figure is true, and I believe it is, then all other attacks combined occupy the remaining 5%. Let's be sure we don't lose focus on the larger issue.
That said, I'm in the "expiring passwords are ineffective and irritating to users" camp, mostly for the reasons Michael Surato pointed out in his message:
1. Length and complexity are more effective against brute-force attacks.
2. Password expiration reduces security by encouraging people already suffering from information overload to write them down.
3. And finally, it's not going to save you because hackers either install back-doors or create their own user accounts anyhow.
The only scenario I can think of that expiring passwords would likely help prevent is someone within your organization using another individuals account to do naughtiness, say a student employee using a faculty's account to change grades for example. The frequency of this problem is nil relative to the number of faculty that just tell others their password, vulnerabilities, and all the other more significant threats we face that it seems irrelevant to me. This scenario must account for less than a percentage point of the actual compromises we have on campus. The irritation it causes our users alone is greater than what we accomplish by implementing such policy.
Regarding the password vault comments, I don't understand why anyone would want to use one. How do you use resources while on different computers, at the library, a friends house, or at a café if you can't remember your passwords? If you don't use it, you lose it.
My "quick note" went on longer than I anticipated. Many apologies. I'll step down from the box now.
Brian H.
|