Educause Security Discussion mailing list archives

Re: Current Best Practice regarding Password Change policy

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 24 Sep 2010 11:02:34 -0400

On Fri, 24 Sep 2010 09:09:25 CDT, "Doty, Timothy T." said:

Something I've always been curious about was the point of not allowing last
X passwords to be re-used. Won't the user simply cycle through passwords
(say, BadPassword1, BadPassword2, etc. or use a random password generator)
until the one they want is out of the history?


Some systems enforce a *MINIMUM* number of days before a password can be
changed, to prevent that.  The well-designed ones allow that minimum to be
overridden in case a password is compromised.

And yes, I've seen some not-well-designed ones. :)

Attachment: _bin
Description:

Current thread:

Re: Current Best Practice regarding Password Change policy, (continued)
- Re: Current Best Practice regarding Password Change policy John C. Gale (Sep 24)
  - Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Jack Reardon (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Conor McGrath (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
    - Re: Current Best Practice regarding Password Change policy charlie derr (Sep 24)
    - Re: Current Best Practice regarding Password Change policy randy marchany (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Doty, Timothy T. (Sep 24)
    - Re: Current Best Practice regarding Password Change policy John C. Gale (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Roger Safian (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Valdis Kletnieks (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Bob Bayn (Sep 24)
    - Re: Current Best Practice regarding Password Change policy Harry E Flowers (flowers) (Sep 24)
  - Message not available
    - Re: Current Best Practice regarding Password Change policy John C. Gale (Sep 24)
- Re: Current Best Practice regarding Password Change policy Roger Safian (Sep 24)
- Re: Current Best Practice regarding Password Change policy Cal Frye (Sep 24)
- Re: Current Best Practice regarding Password Change policy Hugh Burley (Sep 24)
- Re: Current Best Practice regarding Password Change policy Joe St Sauver (Sep 24)
  - Re: Current Best Practice regarding Password Change policy James Farr '05 (Sep 24)
- Re: Current Best Practice regarding Password Change policy Barbara Deschapelles (Sep 25)