Timeline for answer to Password change frequency for technical accounts by Toby Speight
Current License: CC BY-SA 4.0
Post Revisions
7 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Feb 20, 2025 at 13:43 | comment | added | Toby Speight | Mind you, probably a good idea to submit a bug report on the 3rd-party service. | |
| Feb 20, 2025 at 13:41 | comment | added | Toby Speight | Ah, I see @Jon - you're talking about the "service passwords" side of the question, but I'm only addressing the "system accounts" side in this answer. I hadn't interpreted the question the same way that you did. | |
| Feb 20, 2025 at 13:07 | comment | added | Jon Bentley | @TobySpeight "I never mentioned Linux." - a minor nitpick that, while correct, doesn't change the spirit of my comment. "ought to be patched so that they are accessible by non-password means." - sure, but in the real world we can't go around patching every third party service that we don't control. For example, what if your software needs to interface with some government server (e.g. to submit a tax return) and the only login method is with a password? You can't force the government to change its API. All we can do is decide on a sensible policy to secure the way we access that API. | |
| Feb 20, 2025 at 12:53 | comment | added | Toby Speight |
Also, the "many services out there where it's not possible to avoid password access" ought to be patched so that they are accessible by non-password means. It's a solved problem, and "not possible" sounds to me an excuse rather than a sober analysis. Perhaps you should give an example of a service account that requires interactive login other than via sudo.
|
|
| Feb 20, 2025 at 12:50 | comment | added | Toby Speight | @JonBentley, I never mentioned Linux. This answer is relevant to the whole Unix family of OSes. | |
| Feb 19, 2025 at 16:41 | comment | added | Jon Bentley | @Ja1024 Not really, because it doesn't fully answer the question. The answer is restricted to Linux login accounts where access without a password is possible, but the question is broader than that and asks about "technical passwords for e.g. service accounts, that are used only for inter-application communication?". There are many services out there where it's not possible to avoid password access so the question remains whether they should be changed frequently or not. | |
| Feb 19, 2025 at 13:09 | history | answered | Toby Speight | CC BY-SA 4.0 |