The Daily Static
  The Daily Static
UF Archives
Register
UF Membership
Ad Free Site
Postcards
Community
Geekfinder
UFie Gear
Advertise on UF
Forum Rules
& FAQ

Username

Password


Create a New Account

  
 

Back to UserFriendly Strip Comments Index
Topic for debate: changing passwords by nix2005-05-16 11:03:40
  It's to protect against "user vulnerability", etc by jayfarm 2005-05-16 11:57:13
Point 1: Remote login / no virus oppertunity just keylogging.

Example: Person logs in via a terminal in a library. The library computer might be compromised and have a keylogger on there. The would-be attacker has the password, and it will be valid for up to 30 days.

Now this does not stop them from going in and using the access immediately, but if they don't act quickly on the newly aquired password it will no longer be valid by the time they try.

Point 2: It is a valid brute-force countermeasure

If you have a limited number of failed logins before a lockout, the attack will be stopped very quickly simply because all passwords will be refused. A password change will render any part of the dictionary that might have been checked already invalid, and while this does make it so that you "could" move it closer to getting found, it also makes it so that they would have to "recheck" the previous entries to be sure they check everything.

Also - I'm not sure who would let a brute force attack hit their machine without doing *something* about it. If a users is locked out 3 times within a 7 day period I get a notification via e-mail that something might be amiss. Any sys admin who doesn't at least glance at the login failure / lockout logs once a month probably isn't doing the proper secuirty checks anyway. (Unless it's someone elses job, larger shops might have a separate security guy, which s/he should catch it.)

Point 3: Carelessness of users in telling each other

Example: User A might have left a password for "just in case" while they were on vacation, but they are now back and User B still has it. When User A has to change it again then User B will no longer have access until they are retold. Not all account misuse is done maliciously, and this is generally a breech of protocol, but it happens.

Point 4: Expiration of unused accounts

This point has been made already, and that is if an account has had a password that expired after X days just Lock the account and don't allow unlock without an admin doing it. This way the admin can verify what's what before it happens.
[ Reply ]

 

[Todays Cartoon Discussion] [News Index]

Come get yer ARS (Account Registration System) Source Code here!
All images, characters, content and text are copyrighted and trademarks of J.D. Frazer except where other ownership applies. Don't do bad things, we have lawyers.
UserFriendly.Org and its operators are not liable for comments or content posted by its visitors, and will cheerfully assist the lawful authorities in hunting down script-kiddies, spammers and other net scum. And if you're really bad, we'll call your mom. (We're not kidding, we've done it before.)