Re:password aging

["Harvey Nusz" <Harvey_Nusz () administaff com>]

Adam, no paper per se (to my knowledge), but industry/ good sense practice, and
any limitations of the software package/ storage space involved.  Generally, a
year is preferred.  Also, watch out for people changing it 12 times in one hour/
day, just to use be able to use the same PW again, contiguously.  The better
"packages" let you limit users changing it before, say, 10 days, unless it is
needed (user has concerns about it being compromised).  Also, hopefully,
monitoring can find those consistently changing their PW after 10 days, or
whatever the minimum is, to go back to their original PW or to their one
alternative PW (that they switch back and forth between).    

Hope this helps.  Harvey
800.242.8893, ext. 3923

____________________Reply Separator____________________
Subject:    password aging
Author: adam () weathership homeport org (Adam Shostack)
Date:       8/18/98 3:57 PM

     Various people assert that its a good idea to maintain a
history of user passwords so that they can't change their password to
a previous password.  However, I'm having trouble finding a reference
to this in the literature that examines the issue of how many
passwords to save and why.  The lime green book (password management)
says not to let the user use their previous password, but doesn't go
into storing a history.

     Does anyone know of a paper on, or that discusses, this topic,
and how or why to pick various values of N?

Adam