> > Password expiry is an orthogonal issue and should be up to administrator
> Yes, but if you are moving to a different algorithm to improve security, not
> coupling it with an eventual expiration of non-migrated accounts gives a
> false sense of security. Any admin worth his/her salt is going to want the
> option of enforcing that sort of policy along with the transparent update.
> They should really be implemented together is all.
Account expiration and password expiration are already present. There is
absolutely no reason that password algorithm upgrade should be tied in any way
to expiration. A transparent algorithm upgrade as proposed is *far* better
than the forced password change method that is commonly employed. If the
administrator wants to force all accounts to migrate by a set deadline, we
already have the expiration facilities in place to accomplish that. Expiring
accounts that have not been used in a long time, regardless of algorithm
changes, should be part of general housekeeping and may be covered by existing
policy. Password expiration serves no purpose, EVER. Password expiration
encourages users to choose bad passwords because they are throwaway items.
Bruce states it well enough I need not elaborate further
Anyone who fails to understand the above should NOT be an administrator.
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"