Dear Linkedin,

valdis.kletnieks at vt.edu valdis.kletnieks at vt.edu
Fri Jun 8 20:30:00 CDT 2012


On Fri, 08 Jun 2012 15:33:29 -0700, Hal Murray said:

> > Yes; of course if most of those accounts are moribund and unused then you
> > don't need to change them so often, but the passwords you use frequently
> > should be changed at regular intervals.
>
> > It's pretty commonsensical once the threat is understood.
>
> Does anybody have a good URL explaining that idea?  It's been kicking around
> for many years.  I've never seen a convincing writeup.

Gene Spafford did a nice analysis of the *contrary* a while ago, that changing
and expiring passwords is essentially useless against the current threat model
(he was writing about mandatory changes, but all the arguments hold up just
fine for "should be changed" as well):

http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 865 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120608/e986dd15/attachment.bin>


More information about the NANOG mailing list