On Thu, 27 Dec 2001, Mike Barton wrote: > In addition to forced password changes, I'm looking for something to sit > between the user and passwd to enforce variably strong passwords. Anyone > have any favorite techniques/programs they'd care to share?
I have mixed feelings about forced password changes. To me, a forced password change causes me to loose some confidence in my admins. Why? It's basically telling your users you have no real intrusion detection method, and to make up for it, you're forcing users to change passwords (which is bad, 80% of lusers when forced just change between thier name and "password" or make up something and put it on a sticky note on thier monitor). My suggestion would be to assign everybody a random password and make whatever facility the users will be using to change thier password difficult to use. The stickies will eventually go away as they learn thier password. -- Baloo
