On Thursday 12 August 2010 00:11:12 Bill Longman wrote: > On 08/11/2010 01:30 PM, Alan McKinnon wrote: > > I refuse to implement password expiration policies and have a vast array > > of literature to back me up when some dimwit damager gets on his > > expiration high horse. > > > > My users pick their own passwords - I present a list of 5 from apg and > > let them pick one. Accounts do expire if they go unused for 90 days, but > > not passwords. > > > > What put me onto this policy? I found Gartner recommending password > > expiration. I find the best security possible is always the opposite of > > what Gartner says. Discovering how the AD admins in the company go about > > their jobs was the convincing straw :-) > > The bigger buggerboo I see is the "password complexity" [il]logic. > There's this vapid requirement of all these different types of > characters needed in one's password, yet the thing you really want to > enforce is adequate entropy. If my password is an entire sentence, it > will not be brute-forced, even if I used just ASCII A-z. There's just > too much key space in 4.7^32. At 10^5 attempts per second, you're likely > to find the answer in half a billion years. I hope your keyboard still > works, let alone exists....
Your reasoning makes sense, until you consider password length limits imposed by machines. Cisco routers authenticating via Tacacs for instance often support nothing more than DES hashing <yuck>. The hash routines accept up to 10 characters for a password but only use the first 8 to calculate the hash. There are Solaris version nowhere near EOL yet that have similar limits. All this makes my life as a system integrator cum authenticate go-to guy very tricky indeed. Luckily management tends to say "Just do what Alan says. It makes him shut up and go away". :-) p.s. dig the use of "vapid". Wonderful word, truly splendid. Communicates in 5 letters something that takes paragraphs any other way. I shall make a note for future use. -- alan dot mckinnon at gmail dot com