><soapbox> >I realize that these sorts of password rules are often externally dictated, >but it's not clear to me (or many others) that they actually have a positive >effect on security). ></soapbox>
Geez John, do you want the terrorists to WIN?!?!? :-) While I agree with you, it's a tough sell. I personally think password changes are a good idea, but the interval should be much longer than is typically done (1 year is my preference). The problem is that while this is my "gut" feeling, I have no hard data to back it up ... there is a lack of hard data in general on both sides of the argument. I hear plenty of ancedotal evidence, but nothing convincing. The thinking I've seen runs like this: 1) We want better computer security 2) Changing your password regularly is good for security. 3) If you want more security, change your password more frequently. I suspect these people would have us change our password daily if they though they could get away with it. >Fact is, no matter what your passwords rules are, >half the people or more will choose the weakest >password allowed. Perhaps ... but I've noticed with the use of Cracklib that the seriously egregious ones (like your "aaaaa" example) are rejected. Nothing is going to be perfect, though. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos