However, I would still like to make admin-reset passwords valid only for 1 day. If you have no password expiration, once they change it, it will not expire. But the actual reset is a problem.
BTW, most current thinking I have seen on this issue suggests that there is a tradeoff. I personally favor expiring passwords by default after 90 days. Unlike your PIN on your credit card, you need the rest of the info on the magstripe to make an attack. The options for attack on a web application are higher. Obviously passwords expiring every week would be silly and absent very specific facts would probably be horribly insecure. And obviously in some cases, an attack is not a concern. However, especially if the application is accessible from the internet, having expiration of passwords makes a lot of sense. I think we should recommend that passwords expire periodically if the system is potentially subject to attack from a moderate-sized business network or the internet. Also we currently log auth failures so brute force attacks will generally be obvious from the logs. Best Wishes, Chris Travers ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Ledger-smb-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
