> That is the dilemma with security and it is difficult to make some > auditors understand the paradox. The more punitive one makes security > rules the more likely users will start doing things to defeat them. > The most common is the one you mentioned. If you make password rules > too severe people will start writing them down and putting then under > keyboards, phones, blotters, etc. The result is a higher security > risk then if things were just left alone. However, I don't think > requiring a maximum life, minimum length, requiring alphanumeric and > preventing reuse of a certain number of passwords fits the definition > of overly punitive. Although some users may think it comes close. :-)
During peak times I sometimes help out on the front line help desk, I've actually had a person cry because they couldn't think of one when they were told they couldn't use an all lowercase password. John PS, Ken I used "aaaaa" to mean a 5-char all-lower password, not that 50% of our users literally used 5 a's! I had no idea the actual password, I just logged "a" "A" "#" or "." for a char in that 'class'. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos