Re: Expire or not expire?
- From: "Ben M. Schorr, MVP" <bens@xxxxxxxxxxxxxxxx>
- Date: Mon, 17 Dec 2007 15:54:35 -1000
I don't force password changes, generally. I prefer to force long pass phrases and let people select their own pass phrases. That way they can select things that are easy for them to remember and because the pass phrases are long (15 characters+ generally) they are nearly impossible to brute-force.
We also set the lockout policy so that an intruder could only brute force attempt about 100 passwords in an hour. By the time an intruder successfully brute forced a 15+ character passphrase at the rate of 100 attempts per hour the user whose account they were attacking will have long since retired. Not to mention the fact that the admins would pretty quickly notice that many failed login attempts in the log.
A pass phrase like: "My 2 dogs are cute!" is easy to remember, doesn't need to be written down, is nearly impossible for a random stranger to guess and is 19 characters long with spaces, numbers, mixed case and punctuation. Good luck breaking that at 100 tries per hour.
--
-Ben-
Ben M. Schorr, MVP
Roland Schorr & Tower
http://www.rolandschorr.com
http://www.officeforlawyers.com/outlook.htm
"Shurick" <Shurick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:F78DAC49-8A0E-4526-836D-8CB16A31BEB0@xxxxxxxxxxxxxxxx
Hello,
Help me to solve this dilema. What scenario is more secure?
1. I apply policy to change their passwords every 2 months.
2. I apply policy that passwords are never expired.
In first scenario half of users will store their passwords on stickers and
that confuse me.
Thank for any suggest!
.
- Follow-Ups:
- Re: Expire or not expire?
- From: Alun Jones
- Re: Expire or not expire?
- From: Mark Randall
- Re: Expire or not expire?
- Prev by Date: Re: Something Not Rigth!
- Next by Date: Re: Expire or not expire?
- Previous by thread: Re: Expire or not expire?
- Next by thread: Re: Expire or not expire?
- Index(es):
Relevant Pages
|
