On Jan 18, 2008, at 9:17 AM, John Hascall wrote: > > Well, so far, we don't have any password lifetime or history policy. > One of the things I did was modify our KDC to collect statistics > on what kind of passwords that people choose. > > When it was 5 chars they mostly looked like: aaaaa > When it was 5 chars/2 classes they were: aaaaa# or aaaa# > Now that it is 8/2 mostly they are: aaaaaaa# > > Fact is, no matter what your passwords rules are, > half the people or more will choose the weakest > password allowed. If we added lifetime I'm sure > we'd just see 50% or our users change and change > back. if we added history, 50% or more would just > do aaaaaaa1 aaaaaaa2 aaaaaaa3 ... > I strongly suspect that the more onerous the rules, > the higher the percentage doing stuff like this. > And then we get into sticky notes... > > John >
That is the dilemma with security and it is difficult to make some auditors understand the paradox. The more punitive one makes security rules the more likely users will start doing things to defeat them. The most common is the one you mentioned. If you make password rules too severe people will start writing them down and putting then under keyboards, phones, blotters, etc. The result is a higher security risk then if things were just left alone. However, I don't think requiring a maximum life, minimum length, requiring alphanumeric and preventing reuse of a certain number of passwords fits the definition of overly punitive. Although some users may think it comes close. :-) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos