Educause Security Discussion mailing list archives
Re: Password aging
From: Paul Russell <prussell () ND EDU>
Date: Thu, 8 Jan 2004 12:33:39 -0500
At least two respondents have noted that the implementation of password aging tends to decrease password strength and increase the likelihood that users will keep written passwords on or near their computers. It seems to me that the first problem can be overcome by implementing password aging in conjunction with other measures to enforce password strength, and the second problem can be overcome by strict enforcement of policies against the sharing of passwords. If a user's password is written on a piece of paper which is easily accessible by any passerby, the user is implicitly sharing his/her password. One respondent cited users who used passwords that consisted of a word and a number. When the user changed the password, he/she simply incremented the number. This is preventable. Twenty years ago, I worked at a bank which used forced aging of passwords on its mainframe systems. We wrote a password checker that rejected a password change if the new password ... ... was too similar to the old password; ... had been previously used by the same user within a given number of password change cycles; ... appeared in a list of prohibited passwords, such as "password"; or, ... was the user's userid. There may have been other restrictions, as well. Those are the ones I remember. -- Paul Russell Senior Systems Administrator University of Notre Dame ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Password aging Seruya, Stewart (Jan 07)
- <Possible follow-ups>
- Re: Password aging Scott Bradner (Jan 07)
- Re: Password aging Gary Dobbins (Jan 07)
- Re: Password aging Tim Lane (Jan 07)
- Re: Password aging Brian Reilly (Jan 07)
- Re: Password aging Theresa M Rowe (Jan 08)
- Re: Password aging Jane Drews (Jan 08)
- Re: Password aging Paul Younker (Jan 08)
- Re: Password aging Dick Jacobson (Jan 08)
- Re: Password aging Paul Russell (Jan 08)
- Re: Password aging Jenny Gluck (Jan 08)
- Re: Password aging Scott Bradner (Jan 08)
- Re: Password aging Jenny Gluck (Jan 08)
- Re: Password aging Cal Frye (Jan 08)
- Re: Password aging Scott Bradner (Jan 08)
- Re: Password aging Scott Bradner (Jan 08)
- Re: Password aging Cal Frye (Jan 08)
- Re: Password aging Cal Frye (Jan 08)
- Re: Password aging Monday, Kathy (Jan 08)
- Re: Password aging Dan Updegrove (Jan 09)
(Thread continues...)