Re: Password History Policy Question
>I realize that these sorts of password rules are often externally dictated,
>but it's not clear to me (or many others) that they actually have a positive
>effect on security).
Geez John, do you want the terrorists to WIN?!?!? :-)
While I agree with you, it's a tough sell. I personally think password
changes are a good idea, but the interval should be much longer than is
typically done (1 year is my preference). The problem is that while this
is my "gut" feeling, I have no hard data to back it up ... there is a lack
of hard data in general on both sides of the argument. I hear plenty of
ancedotal evidence, but nothing convincing.
The thinking I've seen runs like this:
1) We want better computer security
2) Changing your password regularly is good for security.
3) If you want more security, change your password more frequently.
I suspect these people would have us change our password daily if they though
they could get away with it.
>Fact is, no matter what your passwords rules are,
>half the people or more will choose the weakest
Perhaps ... but I've noticed with the use of Cracklib that the seriously
egregious ones (like your "aaaaa" example) are rejected. Nothing is going
to be perfect, though.