| 1 |
On 2013-10-13 4:07 PM, Martin Vaeth <vaeth@××××××××××××××××××××××××.de> |
| 2 |
wrote: |
| 3 |
> Like passwords, these sequences should better not stay the same for |
| 4 |
> too long... |
| 5 |
|
| 6 |
Forced changing of passwords (and I imagine the same can be said for |
| 7 |
port-knocking sequences, which I've never implemented, but am intrigued |
| 8 |
by, although I tend to avoid security-through-obscurity schemes) |
| 9 |
periodically as a way to 'better security' is one of those myths that |
| 10 |
just never seem to go away. |
| 11 |
|
| 12 |
Enforce strong passwords and a policy that no one is to ever write a |
| 13 |
password down and put it in any publicly accessible place, and educate |
| 14 |
users how not to fall for phishing attacks, is the single most effective |
| 15 |
way to keep things secure. |
| 16 |
|
| 17 |
Then only change a password if/when an account is compromised. |
| 18 |
|
| 19 |
This combined with intelligent rate-limiting (with |
| 20 |
notifications/warnings to admins if/when a users account exceeds them) |
| 21 |
is all you need. |
| 22 |
|
| 23 |
In fact I go one step further... I assign passwords, and do not even |
| 24 |
allow users to change them. I have always done this, and we have people |
| 25 |
in this office that have had the same email password (on the same gentoo |
| 26 |
server) for 12+ years. |
| 27 |
|
| 28 |
I know that I'm probably the exception to this rule, and it is more luck |
| 29 |
than anything else, but we have never had an email account hacked (knock |
| 30 |
on wood). |
| 31 |
|
| 32 |
I'm certainly not saying we are immune, but the claim that passwords |
| 33 |
should be forcibly changed for no reason other than the passage of some |
| 34 |
arbitrary amount of time is just plain dumb. |
Archives