Password History Policy Question

Ken Hornstein kenh at cmf.nrl.navy.mil
Fri Jan 18 09:32:50 EST 2008


><soapbox>
>I realize that these sorts of password rules are often externally dictated,
>but it's not clear to me (or many others) that they actually have a positive
>effect on security).
></soapbox>

Geez John, do you want the terrorists to WIN?!?!? :-)

While I agree with you, it's a tough sell.  I personally think password
changes are a good idea, but the interval should be much longer than is
typically done (1 year is my preference).  The problem is that while this
is my "gut" feeling, I have no hard data to back it up ... there is a lack
of hard data in general on both sides of the argument.  I hear plenty of
ancedotal evidence, but nothing convincing.

The thinking I've seen runs like this:

1) We want better computer security
2) Changing your password regularly is good for security.
3) If you want more security, change your password more frequently.

I suspect these people would have us change our password daily if they though
they could get away with it.

>Fact is, no matter what your passwords rules are,
>half the people or more will choose the weakest
>password allowed.

Perhaps ... but I've noticed with the use of Cracklib that the seriously
egregious ones (like your "aaaaa" example) are rejected.  Nothing is going
to be perfect, though.

--Ken



More information about the Kerberos mailing list