Michael O'Keefe wrote: > > I'm not paid to [follow BugTraq et al] , you are. > Don't pass the buck onto me by forcing me to change my passwd every 2 > weeks, and not reuse any of the last 26 !
I would not implement that draconian a policy. If it were mine, it would probably be on the order of three months to a year, and not repeat the past three or four passwords. I do understand what you are saying. You are passing off to me the requirement that the system must be secure (which I accept) but at the same time it must not impinge your work in any way. That is where I draw the line. There is a tradeoff between security and usability. To use the car analogy, you want to drive your car down the road, the sidewalk, through the parks and at any speed you want. No. There are laws. I would, given my own druthers, try to reach a consensus as to where the security/usability line is drawn. > Are you saying that a cracker is sitting out there with my userid/passwd > waiting for a new vulnerability so they can get into my system, becoz > all their other attempts have been foiled ? I'm saying that I don't know, I cannot control it, so I must guard against it. One of my tools is password expiration. I will use that tool, along with others, as appropriate. -john -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
