If you force a user to select overly complex passwords and change them frequently you insure that a significant number of users will store those passwords in an insecure fashion i.e. Post-It.
I think that some simple rules (min length, require numbers and letters) and recurring, consistent advocacy on keeping passwords secure, unwritten, unshared go farther to improve security. Help prevent 'Password Rage':-) Google it. Tools like Password Safe help too http://passwordsafe.sourceforge.net/ My $0.02. Best Regards, Sam Knutson, GEICO Performance and Availability Management mailto:[EMAIL PROTECTED] (office) 301.986.3574 Our life is frittered away by detail. Simplify, simplify. Henry David Thoreau (1817 1862) -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Paul Gilmartin Sent: Tuesday, May 16, 2006 9:25 AM To: [email protected] Subject: Password Complexity I read somewhere that the motivation for support of mixed case passwords in z/OS v1r7 is an external requirement that the password space have cardinality at least 10^13. Does any reader of this list know the source of this requirement? Sarbanes-Oxley (chapter and verse)? Other (specify)? While searching for this (unsuccessfully), I stumbled over several documents containing a fallacious rationale for frequent password changes: If a password-cracking program can discover a password in N days, one should change one's password no less often than once every N-1 days to be safe. The inventors of such rules don't understand that N is an upper bound, and that by happenstance a password might be discovered in seconds; in other cases take up to almost the N day limit; and that the likelihood of a success on any single try is not affected by the age of the password, except insofar as the remaining password space is reduced by the number of unsuccessful probes. No matter how often you change your password, you at best double the average effort for an intruder to discover it. -- gil -- StorageTek INFORMATION made POWERFUL ==================== This email/fax message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email/fax is prohibited. If you are not the intended recipient, please destroy all paper and electronic copies of the original message. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
