Firewall Wizards mailing list archives
Re: password aging
From: Rick Smith <rick_smith () securecomputing com>
Date: Fri, 21 Aug 1998 12:08:14 -0500
At 05:57 PM 8/18/98 -0400, Adam Shostack wrote:
Various people assert that its a good idea to maintain a history of user passwords so that they can't change their password to a previous password. However, I'm having trouble finding a reference to this in the literature that examines the issue of how many passwords to save and why.
Another important reference on this topic is a recent "Dilbert" cartoon in which the "preventer of information services" demanded Dilbert follow strong password rules (except that Scot Adams let him off easy with as few as 6 characters). I think there's an important point here -- people *hate* this stuff. Don't establish a regimen that relies on incredibly strong reusable passwords unless you have a highly security conscious and paranoid user community. In typical situations you might as well recognize out front that people will write down hard to guess passwords, especially passwords they don't use constantly and/or get changed regularly. If strong authentication is essential and you've got a large and diverse user community (like a bank) then you're better off with one time password systems. The down side is that systems with hardware based tokens (SmartCard, SecureID, etc) tend to cost about $100 per seat to install. Depending on the application you might want to look at authentication based on public key certificates, and protect them with PINs. I've been looking at authentication applications a lot recently and it's interesting that no single technique really fits all applications. Cost and usability are always essential considerations, and you have to take into account the potential shortcuts users might take when the system gets in the way of Real Work. Rick. smith () securecomputing com
Current thread:
- password aging Adam Shostack (Aug 19)
- Re: password aging Rick Smith (Aug 23)
- <Possible follow-ups>
- Re: password aging Steve Bellovin (Aug 19)
- Re: password aging R. DuFresne (Aug 23)
- Re:password aging Harvey Nusz (Aug 19)
- Re: password aging HASSAN . KARIM (Aug 19)
- Re: password aging H. Morrow Long (Aug 23)
- Re: password aging Adam Shostack (Aug 24)
- Re: password aging Paul M. Cardon (Aug 26)
- Re: password aging Stephen P. Gibbons (Aug 27)
- Re: password aging Massimo Brogioni (Aug 27)
- Re: password aging John McDermott (Aug 24)
(Thread continues...)