> > <soapbox> > > I realize that these sorts of password rules are often externally > > dictated, > > but it's not clear to me (or many others) that they actually have a > > positive > > effect on security). > > </soapbox>
> <heckle> > Let me know when you convince non-technical security auditors. > </heckle> Well, so far, we don't have any password lifetime or history policy. One of the things I did was modify our KDC to collect statistics on what kind of passwords that people choose. When it was 5 chars they mostly looked like: aaaaa When it was 5 chars/2 classes they were: aaaaa# or aaaa# Now that it is 8/2 mostly they are: aaaaaaa# Fact is, no matter what your passwords rules are, half the people or more will choose the weakest password allowed. If we added lifetime I'm sure we'd just see 50% or our users change and change back. if we added history, 50% or more would just do aaaaaaa1 aaaaaaa2 aaaaaaa3 ... I strongly suspect that the more onerous the rules, the higher the percentage doing stuff like this. And then we get into sticky notes... John ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos