Cycling Passwords

[Karl Pearson]

I'm curious on your take on systems that require changing passwords on a 
set schedule, whether it's 90 days or whatever.

When I've setup new systems, I instruct the users to select passwords that 
are cryptic and follow guidelines that make them essentially impossible to 
crack, such as: Ol10yzZx119xa

Once a good password is found, why change it? I know there are a lot of 
consultants who say you must, but everywhere I've been that requires 
people to change passwords, I see they have written them on sticky notes 
and then put them on their monitor, or bookshelf or whereever. I also see 
the frustration level raise everytime they are trying to get into a system 
with a customer on the phone, and they have to tell them to wait for their 
session as they change their password...

Since roughly 90% of corporate break-ins are from the inside, having to 
change the passwords, and then sticking the passwords up, defeats the 
security purposes for changing passwords.

What do you think?

Okay, I do have a reason for asking this: 1. convince me I'm wrong, and 2. 
I have a client that wants it to stop, and I need to know where in Fedora 
Core 6 that is setup so case I can make the change for them.

Their FC6 system is setup so the accounts go to /sbin/nologin so they 
don't have to change their password for email. But no one has shell 
access, and a few need it, thus creating the need for passwords to change.

TIA

--
Karl L. Pearson
karlp at ourldsfamily.com
http://consulting.ourldsfamily.com
---
  My Thoughts on Terrorism In America right after 9/11/2001:
  http://www.ourldsfamily.com/wtc.shtml
---
  The world is a dangerous place to live... not because of
  the people who are evil, but because of the people who
  don't do anything about it.
  - Albert Einstein
---
"To mess up your Linux PC, you have to really work at it;
  to mess up a microsoft PC you just have to work on it."
---