If all environments were equally secure, had the same level of IT controls, and I could ensure that my users don't recylce passwords from one environment to the next, then yes, I'm all for this. But, I can't control users or other environments, and the only tools I have (imperfect though they may be) are password complexity and password age. Password complexity is a necessity everywhere, if a user chooses to use it or not in environments which don't require it then, so be it, but in our environment I can ensure that. I can't control the recylcing, so the only tool I have against that is the password age, which has another set of problems...
-Jonathan On Mon, Nov 2, 2009 at 2:10 PM, Ben Scott <[email protected]> wrote: > On Mon, Nov 2, 2009 at 9:38 AM, David Lum <[email protected]> wrote: > > Thoughts, comments? Oh and do read the comments. > > I've sometimes wondered if we wouldn't be better off enforcing (1) a > very long minimum password length and (2) complexity checking that > only filters stupid sequences. Thus, encouraging users to use > non-trivial passphrases rather than passwords. > > Shook and Caesare sitting in a tree > > is going to be both hard to guess and easy to remember, while > > S5p$3xQ! > > is only hard to guess, and thus much more likely to be on a Post-It note. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
