password expiration policy (was Re: UNIX V7)
Gordon JC Pearce
gordonjcp at gjcp.net
Sat Jun 13 03:20:47 CDT 2009
On Fri, 2009-06-12 at 13:26 -0700, Eric Smith wrote:
> Daniel Seagraves wrote:
> > (In reality however, I am most likely giving up my password expiration
> > policy. The users are complaining to the owner about having to change
> > their password every 60 days, and the owner has told me if they
> > continue to complain the policy will be abolished
> In my opinion, having a password expiration policy with such a short
> period is counterproductive. It will cause the users to be more sloppy
> with their passwords in various ways, including leaving the passwords
> written down in places they can easily be found. It will also make
> users favor weaker, more easily guessed passwords, even if the system
> sets minimum requirements; users are more willing to memorize a stronger
> password if they're going to use it for a fairly long time.
When I worked at IBM a couple of years ago (doing rather dull tech
support stuff) I worked out that the password rules (something like
"eight to ten characters, two to four upper-case letters and two to four
digits not in the first, second, second-to-last or last position")
yielded about 1000 valid passwords...
Gordon
More information about the cctalk
mailing list