[29097] in Kerberos
Re: Password History Policy Question
daemon@ATHENA.MIT.EDU (John Hascall)
Fri Jan 18 09:59:07 2008
To: Dennis Putnam <dennis.putnam@aimaudit.com>
In-reply-to: Your message of Fri, 18 Jan 2008 09:37:39 -0500.
<46E63E1F-BED1-413D-BA63-94E4C4FA6837@aimaudit.com>
Date: Fri, 18 Jan 2008 08:58:13 CST
Message-ID: <31448.1200668293@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> That is the dilemma with security and it is difficult to make some
> auditors understand the paradox. The more punitive one makes security
> rules the more likely users will start doing things to defeat them.
> The most common is the one you mentioned. If you make password rules
> too severe people will start writing them down and putting then under
> keyboards, phones, blotters, etc. The result is a higher security
> risk then if things were just left alone. However, I don't think
> requiring a maximum life, minimum length, requiring alphanumeric and
> preventing reuse of a certain number of passwords fits the definition
> of overly punitive. Although some users may think it comes close. :-)
During peak times I sometimes help out on the front line help desk,
I've actually had a person cry because they couldn't think of one
when they were told they couldn't use an all lowercase password.
John
PS, Ken I used "aaaaa" to mean a 5-char all-lower password, not
that 50% of our users literally used 5 a's! I had no idea the
actual password, I just logged "a" "A" "#" or "." for a char
in that 'class'.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
