Password aging (Re: What should the password...)

Martin Weitzel martin at mwtech.UUCP
Tue Dec 19 20:58:31 AEST 1989


In article <10680 at attcan.UUCP> ram at attcan.UUCP (Richard Meesters) writes:
[first part deleted]
>All this is a wonderful way of thinking up a password, but what happens
>when it comes to password aging?  If you have to change your password as a 
[some more deleted]
>I figure that how you set up your password schemes should depend on how much
>security you want to build into your systems.  On my personal systems, I dont
>use, nor do I want to be forced to use, password aging.  I don't think I have
>any information that needs to be necessarily secured.  Unfortunately, as you
>increase the level of security, you are going to increase the difficulty of
>accessing the system for your users.  I just can't see any other way around
>it.

Password aging looks like a good idea - in the first place. If you
look once again, it might only appeal to people, who care more about
the formal aspects of their administrative work than about real system
security. (Do I feel the flames here ...?) With password aging, this
sort of administrator can allways tell (when someone breaks into
the system): "... but I've set up password aging to 10 days, what
more could I have done ..."

The only "good" form of password aging is, to kindly remind the user,
that his or her password has not changed for so and so long. All
other forms - especially enforcing a new password, when someone is
going to log in or out - tends to produce systems, which are *far less
secure* than systems, where users are trained to be cooperative. This
can be proven on many existing systems: In general "password guessing"-
programs are far more succesful on systems with password aging turned on!

If your user community is not too large and you have no remote logins,
IMHO the most successfull approach is to go arround once a week, ask the
people if there are any problems, how you (the system administrator)
could eventually be helpful with any improvements, and *then* you may
tell them: "By the way, it seems you are using the same password for
six weeks now, how about a change?"
-- 
Martin Weitzel, email: martin at mwtech.UUCP, voice: 49-(0)6151-6 56 83



More information about the Comp.unix.wizards mailing list