i want to make a little survey to see how many people use password aging and if yes, how long ? why ? (of course, depending on sensitivity of your box)
a few +/- (+) * "As passwords age, the probability that they are compromised grows." => but how much age ? 1 month ? 1 year ? * if compromised, limit usefulness => when you have a pass, you use it now, not next year ... and install a backdoor so you use it only once. * limit password sharing => not really, better explain users to avoid sharing (-) * can put a lot of strain on helpdesk depending on the computer level of your users (forgotten password, locked accounts, don't understand, ...) * if too short, only minor changes are done to the password ex: xxxxxx1, xxxxxx2, xxxxxx3, ... (number, date, ...) * alone, does not enforce good passphrase => does not replace a good policy and user explanation * if too much restrictions on passphrase, they will go on post-it, PDA or else which are, in general, less secure. * doesn't help common user to get and keep a strong passphrase * doesn't replace good accounts management (when someone quit, disable the account and else) a few policy on the net: http://www.uncfsu.edu/itts/networking/passwords.htm 180d http://west.wwu.edu/atus/web/pwordaging.shtml regularly http://www.pasteur.fr/infosci/utilinfo/HOWTO/passwd.html 1y http://www.columbia.edu/acis/sy/unixdev/policy/password-aging.html http://security.georgetown.edu/passwords.html no aging rule http://www.int-evry.fr/s2ia/unix/mode-d-emploi/change-passwd.htm 6m thanks Regards