RE: Password changes more than once per day
From: Joey Peloquin (jpelo1_at_jcpenney.com)
Date: 02/11/04
- Previous message: Scott J: "Weakness introduced by denying remote logins on AIX, possibly others"
- In reply to: Bob Kelley: "Password changes more than once per day"
- Next in thread: Josh Mills: "RE: Password changes more than once per day"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 10 Feb 2004 18:08:41 -0600 To: "'Bob Kelley'" <bob_kelley_jr@yahoo.com>, security-basics@securityfocus.com
Bob,
It actually works in tandem with the 'Enforce Password History' setting,
preventing users from resetting their password several times in a short
period. For example, if Enforce Password History is set to remember 10
passwords, and the user's password has no minimum age, they could change
their password 10 times, effectively allowing them to use the same password
forever.
Maybe it's time to remind the user *why* we have password policies in the
first place? Sounds like they'd be happy to circumvent the policy
altogether.
Joey Peloquin
>>-----Original Message-----
>>From: Bob Kelley [mailto:bob_kelley_jr@yahoo.com]
>>Sent: Tuesday, February 10, 2004 3:32 PM
>>To: security-basics@securityfocus.com
>>Subject: Password changes more than once per day
>>
>>
>>
>>
>>Can someone please explain the security implications of
>>allowing a user to change their password more than one time
>>per day without involving an account administrator? What's the risk ?
>>
>>
>>
>>I specified the security requirement of not allowing a user
>>to change their password more than once per day for an
>>outsourcing project and I am being asked why. I could not
>>remember my reasoning other than it's a requirement for
>>microsoft security policies to ensure password history is enforced.
[...]
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. If the reader of this message is not the intended recipient,
you are hereby notified that your access is unauthorized, and any review,
dissemination, distribution or copying of this message including any
attachments is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete the material from any
computer.
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------
- Previous message: Scott J: "Weakness introduced by denying remote logins on AIX, possibly others"
- In reply to: Bob Kelley: "Password changes more than once per day"
- Next in thread: Josh Mills: "RE: Password changes more than once per day"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
