[29095] in Kerberos
Re: Password History Policy Question
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Fri Jan 18 09:33:59 2008
Message-Id: <200801181432.m0IEWncv011485@ginger.cmf.nrl.navy.mil>
To: kerberos@mit.edu
In-Reply-To: <28540.1200603287@malison.ait.iastate.edu>
Date: Fri, 18 Jan 2008 09:32:50 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
><soapbox>
>I realize that these sorts of password rules are often externally dictated,
>but it's not clear to me (or many others) that they actually have a positive
>effect on security).
></soapbox>
Geez John, do you want the terrorists to WIN?!?!? :-)
While I agree with you, it's a tough sell. I personally think password
changes are a good idea, but the interval should be much longer than is
typically done (1 year is my preference). The problem is that while this
is my "gut" feeling, I have no hard data to back it up ... there is a lack
of hard data in general on both sides of the argument. I hear plenty of
ancedotal evidence, but nothing convincing.
The thinking I've seen runs like this:
1) We want better computer security
2) Changing your password regularly is good for security.
3) If you want more security, change your password more frequently.
I suspect these people would have us change our password daily if they though
they could get away with it.
>Fact is, no matter what your passwords rules are,
>half the people or more will choose the weakest
>password allowed.
Perhaps ... but I've noticed with the use of Cracklib that the seriously
egregious ones (like your "aaaaa" example) are rejected. Nothing is going
to be perfect, though.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
