i want to make a little survey to see how many people use password aging
and if yes, how long ? why ?
(of course, depending on sensitivity of your box)
a few +/-
(+)
* As passwords age, the probability that they are compromised grows.
= but how much age ? 1 month ? 1 year ?
* if compromised, limit usefulness
= when you have a pass, you use it now, not next year ... and
install a backdoor so you use it only once.
* limit password sharing
= not really, better explain users to avoid sharing
(-)
* can put a lot of strain on helpdesk depending on the computer level of
your users (forgotten password, locked accounts, don't understand, ...)
* if too short, only minor changes are done to the password
ex: xx1, xx2, xx3, ... (number, date, ...)
* alone, does not enforce good passphrase
= does not replace a good policy and user explanation
* if too much restrictions on passphrase, they will go on post-it, PDA
or else which are, in general, less secure.
* doesn't help common user to get and keep a strong passphrase
* doesn't replace good accounts management (when someone quit, disable
the account and else)
a few policy on the net:
http://www.uncfsu.edu/itts/networking/passwords.htm 180d
http://west.wwu.edu/atus/web/pwordaging.shtml regularly
http://www.pasteur.fr/infosci/utilinfo/HOWTO/passwd.html1y
http://www.columbia.edu/acis/sy/unixdev/policy/password-aging.html
http://security.georgetown.edu/passwords.html no aging rule
http://www.int-evry.fr/s2ia/unix/mode-d-emploi/change-passwd.htm 6m
thanks
Regards