Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password aging

From: Paul Russell <prussell () ND EDU>
Date: Thu, 8 Jan 2004 12:33:39 -0500
At least two respondents have noted that the implementation of password aging
tends to decrease password strength and increase the likelihood that users will
keep written passwords on or near their computers. It seems to me that the first
problem can be overcome by implementing password aging in conjunction with other
measures to enforce password strength, and the second problem can be overcome by
strict enforcement of policies against the sharing of passwords. If a user's
password is written on a piece of paper which is easily accessible by any
passerby, the user is implicitly sharing his/her password.

One respondent cited users who used passwords that consisted of a word and a
number. When the user changed the password, he/she simply incremented the
number. This is preventable. Twenty years ago, I worked at a bank which used
forced aging of passwords on its mainframe systems. We wrote a password checker
that rejected a password change if the new password ...

... was too similar to the old password;
... had been previously used by the same user within a given number of
    password change cycles;
... appeared in a list of prohibited passwords, such as "password"; or,
... was the user's userid.

There may have been other restrictions, as well. Those are the ones I remember.

--
Paul Russell
Senior Systems Administrator
University of Notre Dame

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: