Password History Policy Question
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Jan 18 09:32:50 EST 2008
><soapbox>
>I realize that these sorts of password rules are often externally dictated,
>but it's not clear to me (or many others) that they actually have a positive
>effect on security).
></soapbox>
Geez John, do you want the terrorists to WIN?!?!? :-)
While I agree with you, it's a tough sell. I personally think password
changes are a good idea, but the interval should be much longer than is
typically done (1 year is my preference). The problem is that while this
is my "gut" feeling, I have no hard data to back it up ... there is a lack
of hard data in general on both sides of the argument. I hear plenty of
ancedotal evidence, but nothing convincing.
The thinking I've seen runs like this:
1) We want better computer security
2) Changing your password regularly is good for security.
3) If you want more security, change your password more frequently.
I suspect these people would have us change our password daily if they though
they could get away with it.
>Fact is, no matter what your passwords rules are,
>half the people or more will choose the weakest
>password allowed.
Perhaps ... but I've noticed with the use of Cracklib that the seriously
egregious ones (like your "aaaaa" example) are rejected. Nothing is going
to be perfect, though.
--Ken
More information about the Kerberos
mailing list