Cycling Passwords
Karl Pearson
karlp at ourldsfamily.com
Fri Aug 22 16:55:53 UTC 2008
I'm curious on your take on systems that require changing passwords on a
set schedule, whether it's 90 days or whatever.
When I've setup new systems, I instruct the users to select passwords that
are cryptic and follow guidelines that make them essentially impossible to
crack, such as: Ol10yzZx119xa
Once a good password is found, why change it? I know there are a lot of
consultants who say you must, but everywhere I've been that requires
people to change passwords, I see they have written them on sticky notes
and then put them on their monitor, or bookshelf or whereever. I also see
the frustration level raise everytime they are trying to get into a system
with a customer on the phone, and they have to tell them to wait for their
session as they change their password...
Since roughly 90% of corporate break-ins are from the inside, having to
change the passwords, and then sticking the passwords up, defeats the
security purposes for changing passwords.
What do you think?
Okay, I do have a reason for asking this: 1. convince me I'm wrong, and 2.
I have a client that wants it to stop, and I need to know where in Fedora
Core 6 that is setup so case I can make the change for them.
Their FC6 system is setup so the accounts go to /sbin/nologin so they
don't have to change their password for email. But no one has shell
access, and a few need it, thus creating the need for passwords to change.
TIA
--
Karl L. Pearson
karlp at ourldsfamily.com
http://consulting.ourldsfamily.com
---
My Thoughts on Terrorism In America right after 9/11/2001:
http://www.ourldsfamily.com/wtc.shtml
---
The world is a dangerous place to live... not because of
the people who are evil, but because of the people who
don't do anything about it.
- Albert Einstein
---
"To mess up your Linux PC, you have to really work at it;
to mess up a microsoft PC you just have to work on it."
---
More information about the Redhat-install-list
mailing list