1 |
On 2013-10-13 4:07 PM, Martin Vaeth <vaeth@××××××××××××××××××××××××.de> |
2 |
wrote: |
3 |
> Like passwords, these sequences should better not stay the same for |
4 |
> too long... |
5 |
|
6 |
Forced changing of passwords (and I imagine the same can be said for |
7 |
port-knocking sequences, which I've never implemented, but am intrigued |
8 |
by, although I tend to avoid security-through-obscurity schemes) |
9 |
periodically as a way to 'better security' is one of those myths that |
10 |
just never seem to go away. |
11 |
|
12 |
Enforce strong passwords and a policy that no one is to ever write a |
13 |
password down and put it in any publicly accessible place, and educate |
14 |
users how not to fall for phishing attacks, is the single most effective |
15 |
way to keep things secure. |
16 |
|
17 |
Then only change a password if/when an account is compromised. |
18 |
|
19 |
This combined with intelligent rate-limiting (with |
20 |
notifications/warnings to admins if/when a users account exceeds them) |
21 |
is all you need. |
22 |
|
23 |
In fact I go one step further... I assign passwords, and do not even |
24 |
allow users to change them. I have always done this, and we have people |
25 |
in this office that have had the same email password (on the same gentoo |
26 |
server) for 12+ years. |
27 |
|
28 |
I know that I'm probably the exception to this rule, and it is more luck |
29 |
than anything else, but we have never had an email account hacked (knock |
30 |
on wood). |
31 |
|
32 |
I'm certainly not saying we are immune, but the claim that passwords |
33 |
should be forcibly changed for no reason other than the passage of some |
34 |
arbitrary amount of time is just plain dumb. |