On Tue, Jul 16, 2002 at 01:24:22PM +0100, Jonathan Peterson wrote: > My company needs some security policies and procedures documentation. > You know, the kind of thing that says in writing "Users must change > passwords every 30 days" and "Changes to firewall configuration must be
Personally I find that my brain interprets that as "users must forget passwords every 30 days". What goes wrong is that $^O says "your password will expire in $n days, would you like to change it?" and I go "oh bugger", make something new up that I think I'll remember, change it to that, and then promptly forget it. I'm not convinced that frequent password changing is good, because I find it seems to lead to either frequent password resetting by administrators (with inherent social engineering vulnerability) or passwords written down, which also isn't secure. I guess the security idea is that the password on a piece of paper is now only valid for 15.5 days on average, so the system is now more secure than it used to be, when pieces of paper remained valid for months. I just wonder if it creates more paper users. Nicholas Clark