[29094] in Kerberos
Re: Password History Policy Question
daemon@ATHENA.MIT.EDU (John Hascall)
Fri Jan 18 09:18:54 2008
To: Dennis Putnam <dennis.putnam@aimaudit.com>
In-reply-to: Your message of Fri, 18 Jan 2008 08:29:38 -0500.
<12910924-15CE-4023-984A-45C63002B0D3@aimaudit.com>
Date: Fri, 18 Jan 2008 08:17:58 CST
Message-ID: <31164.1200665878@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> > <soapbox>
> > I realize that these sorts of password rules are often externally
> > dictated,
> > but it's not clear to me (or many others) that they actually have a
> > positive
> > effect on security).
> > </soapbox>
> <heckle>
> Let me know when you convince non-technical security auditors.
> </heckle>
Well, so far, we don't have any password lifetime or history policy.
One of the things I did was modify our KDC to collect statistics
on what kind of passwords that people choose.
When it was 5 chars they mostly looked like: aaaaa
When it was 5 chars/2 classes they were: aaaaa# or aaaa#
Now that it is 8/2 mostly they are: aaaaaaa#
Fact is, no matter what your passwords rules are,
half the people or more will choose the weakest
password allowed. If we added lifetime I'm sure
we'd just see 50% or our users change and change
back. if we added history, 50% or more would just
do aaaaaaa1 aaaaaaa2 aaaaaaa3 ...
I strongly suspect that the more onerous the rules,
the higher the percentage doing stuff like this.
And then we get into sticky notes...
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
