Read an interesting piece by Michael Horowitz. He writes about the fact, which I have been quite strongly propagating, that changing your password within a set period of time is not actually an effective defensive method.
Instead of the IT department of an organization spending time prodding employees to change password after a specific period of time or even at times enforcing the rule, they should make the access to the systems inaccessible. Michael correctly points out, “An IT department may better serve a company by doing what the bad guys do and use password cracking software to try to decrypt the passwords under their control. If any poor passwords are discovered, they could educate the person that chose it about better passwords. If nothing else, just knowing that the IT department is watching should make people chose harder to crack (longer, more random) passwords”.
Read the whole post at http://blogs.computerworld.com/17549/change_your_password_maybe_not
Changing passwords strategy has been adopted by almost all the organizations across the globe. Though it seemed to have worked well as far as no complaints against it from any quarters; but about its impact, nobody can really vouch for or against it. Often it seemed more of a mandatory mechanism to give a false-sense of security.
Organizations are slowly waking up to the fact, that this mechanism might not be as effective as it seems. And with organizations moving on to the cloud and looking for better defensive mechanism, numerous other options are being explored. People are even talking about moving to open source based (Linux) security mechanism (especially for online banking as other such activities). What’s your take on it?
Instead of the IT department of an organization spending time prodding employees to change password after a specific period of time or even at times enforcing the rule, they should make the access to the systems inaccessible. Michael correctly points out, “An IT department may better serve a company by doing what the bad guys do and use password cracking software to try to decrypt the passwords under their control. If any poor passwords are discovered, they could educate the person that chose it about better passwords. If nothing else, just knowing that the IT department is watching should make people chose harder to crack (longer, more random) passwords”.
Read the whole post at http://blogs.computerworld.com/17549/change_your_password_maybe_not
Changing passwords strategy has been adopted by almost all the organizations across the globe. Though it seemed to have worked well as far as no complaints against it from any quarters; but about its impact, nobody can really vouch for or against it. Often it seemed more of a mandatory mechanism to give a false-sense of security.
Organizations are slowly waking up to the fact, that this mechanism might not be as effective as it seems. And with organizations moving on to the cloud and looking for better defensive mechanism, numerous other options are being explored. People are even talking about moving to open source based (Linux) security mechanism (especially for online banking as other such activities). What’s your take on it?
