The rationale for changing passwords is not that doing so makes brute-force attempts to determine their values more difficult.
It is that these password values may come to be known in one way or another and that changing them periodically eliminates the usefulness of these known passwords. There are war stories, anecdotal evidence, that this is sometimes the case; but I know of no systematic study of the effectiveness of periodic-password-change rules. Much of the rationale for them is of a different kind: their enforcement demonstrates that the group responsible for security is 'pro-active', doing something. John Gilmore, Ashland, MA 01721 - USA ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
