Re: Password Complexity and Aging

[Ryan Fox <rfox () FINDLAY EDU>]

Geoff Nathan wrote:
> I'll second Roger and Valdis' comments about the religious nature of
> this debate.  I tried to educate our auditors and failed, and indeed
> they had expiry of ancient account passwords in mind as a driving
> force.  So far there haven't been many loud squawks, but we're only
> into our second 180 days.

We're implementing (today, actually) a password policy of 8+ characters,
include upper, lower, and digit.  No automatic expiration.

We actually didn't have to fight our auditors on expiration at all.  I
suspect this is because we were more prepared than our auditor.  ;)  As
part of our policy, we included the math to determine the keyspace,
along with how long it would take an attacker to brute force the
keyspace (lower limit known, as we enforce account lockout after N
attempts).  This was acceptably long given our number of accounts, and
provided no reason for us to enforce a short expiration period.

Ryan

Attachment: rfox.vcf
Description: