password aging
Al Donaldson
al at escom.com
Wed Mar 13 11:20:45 AEST 1991
In article <15448 at smoke.brl.mil>, gwyn at smoke.brl.mil (Doug Gwyn) writes:
> It is probably also worth noting that in most cases, forcing a change
> of password periodically actually reduces system security, rather than
> enhancing it as is probably the intention.
Not to mention being a royal pain in the keester. Few people can explain
how it works, fewer users understand it, and it just plain gets in the way
of running a facility, let alone a secure one.
A solution I've proposed is to save the date of last password change
in the shadow password file. The administrator can scan this periodically
and apply social pressures to the fellow that hasn't changed his password
in the last year and a half.
> Unless a password is
> compromised, if it was secure in the first place there is no reason
> not to stick with it.
Problem is that compromise of a password is a probabilistic thing -- the
probability of compromise (and accumulated damage) increases the longer
one uses the same password.
Users really should change their passwords periodically -- being forced
to do it by a machine is just not the right way.
Al
More information about the Comp.unix.questions
mailing list