RE: Password changes more than once per day

[Gene LeDuc <Gene.LeDuc () tns-md com>]

The help desk should be able to override the minimum-age setting for
situations like this.

-----Original Message-----
From: bsec () cotse net [mailto:bsec () cotse net]
Sent: Tuesday, February 10, 2004 4:28 PM
To: bob_kelley_jr () yahoo com
Cc: security-basics () securityfocus com
Subject: Re: Password changes more than once per day


As several people have already pointed out, requiring users to wait a
period of time prevents/discourages password re-use; however, by not
allowing users to change their passwords immediately could also have the
negative side effect of allowing weak passwords to exist on one's system. 
Consider the situation if while a user was entering a new password someone
watched them type their new password (i.e. shoulder surfed), the account
would be vulnerable until the user was allowed to change their password
again.

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------