John Hascall <[EMAIL PROTECTED]> writes: > Fact is, no matter what your passwords rules are, > half the people or more will choose the weakest > password allowed. If we added lifetime I'm sure > we'd just see 50% or our users change and change > back. if we added history, 50% or more would just > do aaaaaaa1 aaaaaaa2 aaaaaaa3 ...
Those sorts of passwords are trivial to reject with password strength checking that does something more than just password length restrictions, such as run the password through cracklib. People do pick the weakest passwords allowed, so the weakest passwords allowed should be stronger than what a brute force dictionary search can find. > I strongly suspect that the more onerous the rules, > the higher the percentage doing stuff like this. > And then we get into sticky notes... Sticky notes are *great* for the average user. I would strongly encourage people to come up with a difficult and complex password, write it down on a sticky note, and put it in their wallet, right next to their credit card, driver's license, and other things that they already know how to keep secure. Writing the password down converts the vulnerability to one requiring physical presence, which is *way* easier to defend against in general. Think of it this way: an impossible-to-remember password on a sticky note in their wallet is sort of like the poor-man's smart card for when you don't yet have the infrastructure to do real smart cards. :) -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos