Re: Enforcing strong passwords

Date: 11/10/02

Date: Sat, 9 Nov 2002 23:09:47 +0000 (UTC)

In article <aqj46t$2999$>, Tim Hogard wrote:

>You also have to give people time to think about their new password
>before you force a change. If you force people to pick a good password
>out of thin air, it will end up on a sticky note.

Forcing a password change on Friday leads to increased risk that it will
be forgotten by Monday. The "14 days left with this password - change now ?"
is quite good if you must have aging.

I also agree with Fred Cohen ( that there is not much point to
password aging - particularly with short intervals.

decoy mail addresses: obtain username via 0x4f/tcp or 0x50/tcp
random words follow - don't take too seriously!
 Nexcerpt, Inc. 1-616.226.9550 Yet another example of how the new
 project ".Net" violating common rules of English give it a different
 behavior: unlocking the TV caused ALL of my "e-bill" as well
 as an "imbalance".

Relevant Pages