[geeks] Mandatory password changes
Charles Shannon Hendrix
shannon at widomaker.com
Mon Dec 11 00:39:13 CST 2006
Sun, 10 Dec 2006 @ 13:29 -0600, Bill Bradford said:
> On Sun, Dec 10, 2006 at 01:30:13PM -0500, Phil Stracchino wrote:
> > 1. 90% of the passwords in the system will be "cat", "dog", or the
> > ever-popular "GOD".
> > 2. 90% of your employees will switch back and forth between the same
> > two passwords at 30-day intervals.
>
> $WORK prevents this by enforcing strong passwords (uppercase/lowercase,
> symbols/numerals, etc).
As long as it isn't extreme, that's OK. The problem is the tendency of
morons to not realize there is a limit to what people can reasonably
remember, particularly when combined with a requirement for each
password to be different.
I was in a shop once that required not only letter and number mixes, but
maximum runs of each type of character, and each subsystem had to have
different passwords.
For example "99password" would be invalid. It would have to be
something like 99pa34ss32or33rd".
Even I wrote that kind of line noise on post its, all six of those
required for me to just get started in the day.
> > 3. 90% of your employees will have their current password written on a
> > Post-It note on their monitor or, at best, in their desk drawer.
>
> Current policy is password changes every 90 days, and you can't use a
> password that has the same characters in the same positions as your old
> password, nor can you re-use any of the last six passwords you've had.
That's probably pretty good. Anything more complex or stressful I'd
balk at.
Of course, a lot depends on the kinds of users you have.
> This of course doesn't stop the post-it-note problem...
Hard to get around that one.
--
shannon "AT" widomaker.com -- ["The object of war is not to die for your
country but to make the other bastard die for his." -- General George S.
Patton]
More information about the geeks
mailing list