Legatus wrote:
Well in the land of government computing. I don't have much choice. I have
to abide by NIST, GAO, and other groups writs.
Agreed.
My only hope is to understand the rational behind them.
Inertia. There was a time when changing a password would help because
that was likely the only password the user had, there weren't that many
users on the system and the system was a high value target.
If you think your system can withstand someone
with expert level knowledge having unlimited time on a system undetected,
then don't have password rules.
Uh, no. If the system is that valuable, a *password* is woefully
insufficient. Changing a password does not magically make it more secure.
A password that never changes, means that
once a user has been compromised, then the person or persons that now have
access to the system will never have to worry about detection, unless there
is only one IP users should be coming from.
Changing a password doesn't fix this. Once a password is compromised a
keylogger is likely to be installed and so *now* you automatically pick
up every new password you force the user to change to.
Oops.
If they have to write down passwords in obvious places, then they
need to be fired, which of course is also dictated by the above
organizations.
BWHAHAHAHAHAHA! Oh, you kill me.
The moment you make me change my password you move into "write it down"
territory. It is simply *unavoidable*. I'm not a computer; my memory
isn't that good.
Look, if a single decent password isn't good enough, then it's time for
keyfobs.
-a
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
