Password History Policy Question

John Hascall john at iastate.edu
Fri Jan 18 09:58:13 EST 2008


> That is the dilemma with security and it is difficult to make some  
> auditors understand the paradox. The more punitive one makes security  
> rules the more likely users will start doing things to defeat them.  
> The most common is the one you mentioned. If you make password rules  
> too severe people will start writing them down and putting then under  
> keyboards, phones, blotters, etc. The result is a higher security  
> risk then if things were just left alone. However, I don't think  
> requiring a maximum life, minimum length, requiring alphanumeric and  
> preventing reuse of a certain number of passwords fits the definition  
> of overly punitive. Although some users may think it comes close. :-)

During peak times I sometimes help out on the front line help desk,
I've actually had a person cry because they couldn't think of one
when they were told they couldn't use an all lowercase password.

John
PS, Ken I used "aaaaa" to mean a 5-char all-lower password, not
    that 50% of our users literally used 5 a's!  I had no idea the
    actual password, I just logged "a" "A" "#" or "." for a char
    in that 'class'.



More information about the Kerberos mailing list