> >
> > I realize that these sorts of password rules are often externally
> > dictated,
> > but it's not clear to me (or many others) that they actually have a
> > positive
> > effect on security).
> >


>
> Let me know when you convince non-technical security auditors.
>


Well, so far, we don't have any password lifetime or history policy.
One of the things I did was modify our KDC to collect statistics
on what kind of passwords that people choose.

When it was 5 chars they mostly looked like: aaaaa
When it was 5 chars/2 classes they were: aaaaa# or aaaa#
Now that it is 8/2 mostly they are: aaaaaaa#

Fact is, no matter what your passwords rules are,
half the people or more will choose the weakest
password allowed. If we added lifetime I'm sure
we'd just see 50% or our users change and change
back. if we added history, 50% or more would just
do aaaaaaa1 aaaaaaa2 aaaaaaa3 ...
I strongly suspect that the more onerous the rules,
the higher the percentage doing stuff like this.
And then we get into sticky notes...

John