password expiration policy (was Re: UNIX V7)

Gordon JC Pearce gordonjcp at gjcp.net
Sat Jun 13 03:20:47 CDT 2009


On Fri, 2009-06-12 at 13:26 -0700, Eric Smith wrote:
> Daniel Seagraves wrote:
> > (In reality however, I am most likely giving up my password expiration 
> > policy. The users are complaining to the owner about having to change 
> > their password every 60 days, and the owner has told me if they 
> > continue to complain the policy will be abolished
> In my opinion, having a password expiration policy with such a short 
> period is counterproductive.  It will cause the users to be more sloppy 
> with their passwords in various ways, including leaving the passwords 
> written down in places they can easily be found.  It will also make 
> users favor weaker, more easily guessed passwords, even if the system 
> sets minimum requirements; users are more willing to memorize a stronger 
> password if they're going to use it for a fairly long time.

When I worked at IBM a couple of years ago (doing rather dull tech
support stuff) I worked out that the password rules (something like
"eight to ten characters, two to four upper-case letters and two to four
digits not in the first, second, second-to-last or last position")
yielded about 1000 valid passwords...

Gordon




More information about the cctalk mailing list