On Tue, 16 Jul 2002, Michael Stevens wrote: > On Tue, Jul 16, 2002 at 01:34:19PM +0100, Nicholas Clark wrote: > > I'm not convinced that frequent password changing is good, because I find > > it seems to lead to either frequent password resetting by administrators > > (with inherent social engineering vulnerability) or passwords written down, > > which also isn't secure. I guess the security idea is that the password on a > > Or people generating passwords based on a predictable base and a > changing element that changes just enough to fulfill the requirement > to change one's password. >
Indeed. I know of a certain finiancial institution that every employee in the office incre,mented the number on the end of their password by 1 each month. Worse still the passwords were guessable so half the employees were able to guess the managers password in two guesses or less. Policy is nothing without the associated training and buy-in. People have to be encouraged to go with the program and blanket polcies without buiy-in and training will result in worse security and people digging their heels in. A. -- <A HREF = "http://termisoc.org/~betty"> Betty @ termisoc.org </A> "As a youngster Fred fought sea battles on the village pond using a complex system of signals he devised that was later adopted by the Royal Navy. " (this email has nothing to do with any organisation except me)