[29081] in Kerberos
Re: Password History Policy Question
daemon@ATHENA.MIT.EDU (John Hascall)
Thu Jan 17 15:55:24 2008
To: Dennis Putnam <dennis.putnam@aimaudit.com>
In-reply-to: Your message of Thu, 17 Jan 2008 11:05:17 -0500.
<58871CC6-4F76-4DC9-ACB8-3726010848D4@aimaudit.com>
Date: Thu, 17 Jan 2008 14:54:47 CST
Message-ID: <28540.1200603287@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> I am trying to set a policy for users. One of our requirements is
> that passwords not be reused for at least 1 year (we change passwords
> every 30 days). The problem seems to be that the -history parameter
> cannot be greater then 9. Is this something I am doing wrong or is
> this indeed a restriction on the number of kept old passwords? Thanks
This is, indeed, a restriction. If you need more, you need to change
the code and recompile, etc.
In any event, unless you also set a minimum password lifetime, you
can't guarantee a no reuse in a year anyway (I could change my password
12 times in 12 minutes).
<soapbox>
I realize that these sorts of password rules are often externally dictated,
but it's not clear to me (or many others) that they actually have a positive
effect on security).
</soapbox>
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
