On Tue, Jan 3, 2012 at 8:07 PM, <[email protected]> wrote: > > > So I would conjecture, at least in cases like this where users only > > login infrequently, that the password change policy every N days > > be done away with, or at the very least, we make N something > > reasonably long, like 365 or more days. > > Kevin, are you suggesting a "50 uses and change it" rule?
Well, in the cases where users login infrequently, such their telco or wireless carrier where users only login once a month to pay their bill, I think that makes more sense than requiring them to changing it every 90 days or so. Very few people are going to be able to memorize their password when they only use it once a month and you make them change it every 3 months (3 tries). In such cases, you could get almost the same affect by making the change period very long. For instance, instead of requiring a password change every 90 days, make them change it once every 2 years. And if you do that by uses instead of by days, it makes it a LOT easier / more relevant to warn them that they have a password change coming up so it won't take them by surprise. IMO, that's another reason why people have such a problem logging it. We have a policy something like warn the user 10 days in advance that their password is going to change, but they only log in every 30 days, so at the end of those (say) 90 days, they are surprised by "Your password has expired. Please change it." message. Not only do they not get a chance to think of a decent password that they can remember, but they may not be prepared to safely record it. (For example, maybe they use something like PasswordSafe to store it, but it's on a USB flash drive that they don't happen to have a the moment b/c you've taken them by surprise.) If instead, they could be greeted by a message something like "You have 2 more uses of your current password allowed. Would you like to change it now?" then they are not going to be hit out of the blue that their password has expired. Unlike warnings that are based on time (D days before password is scheduled to expire) that the user might never see, at least they would always see these warnings. Hopefully less surprise means better, stronger passwords. I don't think this is suitable for everything though. For example, if you use Active Directory passwords inside your corporation for also logging into lots of different servers, I think time-based expiration would work better than usage-based expiration there. Otherwise, you'd have some people that would have to be changing their password every 10 days and others that would only be changing it every 250 days. There, employee turnover also probably makes time-based expiration more suitable. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
