Re: Enforcing strong passwords

From:
Date: 11/10/02


Date: Sat, 9 Nov 2002 23:09:47 +0000 (UTC)

In article <aqj46t$2999$1@knotty.abnormal.com>, Tim Hogard wrote:

>You also have to give people time to think about their new password
>before you force a change. If you force people to pick a good password
>out of thin air, it will end up on a sticky note.

Forcing a password change on Friday leads to increased risk that it will
be forgotten by Monday. The "14 days left with this password - change now ?"
is quite good if you must have aging.

I also agree with Fred Cohen (http://all.net) that there is not much point to
password aging - particularly with short intervals.

-- 
decoy mail addresses: obtain username via 0x4f/tcp or 0x50/tcp
random words follow - don't take too seriously!
 Nexcerpt, Inc. 1-616.226.9550 Yet another example of how the new
 project ".Net" violating common rules of English give it a different
 behavior: unlocking the TV caused ALL of my "e-bill" as well
 as an "imbalance".



Relevant Pages