[Lynn R Grant: Password Aging]

[John Chambers]

In article <4506 at xenna.Encore.COM>, bzs at Encore.COM (Barry Shein) writes:
> 
> Of course the obvious question is does anyone have any good cases of
> systems broken into where, if password aging had been in effect, the
> break-in would have been prevented? Reasoning appreciated.
> 
Well, I don't know of any, but where I am currently working, there
seems to be a case where password aging has decreased the general
level of security.  Why?  Well, there's a lot of networking going
on, and many people find themselves with accounts on 10 or 15 or
50 machines, each of which has to have a password.  Password aging
has been installed on some of them, so periodically users find
themselves being harassed by yet another system that wants them
to change their password.  After a while, we all find that we
have a whole lot of different passwords, and there's only one
way that a mere human can possibly remember them: write them
down on paper along with the hostnames.  I have a list in the
little pocket calendar that lives in my shirt pocket...

Nuf said?

-- 
John Chambers <{adelie,ima,maynard,mit-eddie}!minya!{jc,root}> (617/484-6393)

[Any errors in the above are due to failures in the logic of the keyboard,
not in the fingers that did the typing.]