On Wednesday 11 August 2010 20:16:42 Dale wrote: > Stroller wrote: > > On 10 Aug 2010, at 20:22, Hazen Valliant-Saunders wrote: > >> ... > >> Good Luck getting people to change them frequently and haveing your > >> techs and it departments meeting complexity and length policy. > > > > I'm pretty sure that's a trivial setting for expiration policy and a > > PAM plugin or option to enforce complexity. > > > > Stroller. > > Thing about changing passwords to often, the person forgets what the > password is. I have a good strong password for my bank and credit > card. If I had to change it every month, six months or something, I > would set it to something simple so that I could remember what the > password is. Then I would write it down to help me remember it as well. > > Changing the password often can actually lead to other issues.
I refuse to implement password expiration policies and have a vast array of literature to back me up when some dimwit damager gets on his expiration high horse. My users pick their own passwords - I present a list of 5 from apg and let them pick one. Accounts do expire if they go unused for 90 days, but not passwords. What put me onto this policy? I found Gartner recommending password expiration. I find the best security possible is always the opposite of what Gartner says. Discovering how the AD admins in the company go about their jobs was the convincing straw :-) -- alan dot mckinnon at gmail dot com
