admin管理员组文章数量:1566641
你有多久没有改过银行卡的密码了?假如银行让你三个月必须修改一次密码,而且新密码不能重复使用最近5次使用过的密码,你会不会疯掉?
最近我实施的某个项目过程中,大量用户抱怨信息系统三个月更改账户密码的策略实在非常麻烦,甚至是“扰民”。三个月的时间很快就过去了,用户不得不重新修改密码,而且根据信息系统密码复杂度的要求,“不能重复使用最近5次使用过的密码”,所以用户不得不创建很多不常用且难于记忆的新密码,很容易就忘记密码,不得不重新申请设置,这个对于用户来说体验确实非常不好,对于正常的工作也是一种骚扰。
三个月修改密码就真的就能提升信息安全么? 某种程度上,这样的密码策略确实能够把可能遭受信息损失降低一些,比如,黑客从某种途径获取或破解了用户的密码,他可以在这三个月内访问系统,但是三个月后,密码将会过期,企业/用户的信息损失也就到此为止了。但事实真的是这样的么?微软几年前一份研究报告:Frequent password changes are useless
Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn't make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. "That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door," the Globe says. Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher's very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes' averted losses, but few would estimate it's anywhere approaching $16 billion a year. |
推荐阅读: Study: Frequent password changes are useless http://web.archive/web/20100423185209/http://news.yahoo/s/ytech_wguy/20100413/tc_ytech_wguy/ytech_wguy_tc1590 Why do we annoy our users? http://www.sicpers.info/2010/03/why-do-we-annoy-our-users/ Please do not change your password http://web.archive/web/20100414135812/http://www.boston/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=full Why Changing Your Passwords Often May Be a Waste of Time http://lifehacker/5966214/how-often-should-i-change-my-passwords How does changing your password every 90 days increase security? http://security.stackexchange/questions/4704/how-does-changing-your-password-every-90-days-increase-security
版权声明:本文标题:三个月修改密码真的就能提升信息安全么? 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://www.elefans.com/dongtai/1726491075a1072735.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论