Password History Policy Question

John Hascall john at iastate.edu
Fri Jan 18 09:17:58 EST 2008



> > <soapbox>
> > I realize that these sorts of password rules are often externally  
> > dictated,
> > but it's not clear to me (or many others) that they actually have a  
> > positive
> > effect on security).
> > </soapbox>

> <heckle>
> Let me know when you convince non-technical security auditors.
> </heckle>

Well, so far, we don't have any password lifetime or history policy.
One of the things I did was modify our KDC to collect statistics
on what kind of passwords that people choose.

   When it was 5 chars they mostly looked like:   aaaaa
   When it was 5 chars/2 classes they were:       aaaaa#   or aaaa#
   Now that it is 8/2 mostly they are:            aaaaaaa#

   Fact is, no matter what your passwords rules are,
   half the people or more will choose the weakest
   password allowed.  If we added lifetime I'm sure
   we'd just see 50% or our users change and change
   back.  if we added history, 50% or more would just
   do aaaaaaa1 aaaaaaa2 aaaaaaa3 ...
   I strongly suspect that the more onerous the rules,
   the higher the percentage doing stuff like this.
   And then we get into sticky notes...

John



More information about the Kerberos mailing list