On Jan 18, 2008, at 9:17 AM, John Hascall wrote:

> Well, so far, we don't have any password lifetime or history policy.
> One of the things I did was modify our KDC to collect statistics
> on what kind of passwords that people choose.
> When it was 5 chars they mostly looked like: aaaaa
> When it was 5 chars/2 classes they were: aaaaa# or aaaa#
> Now that it is 8/2 mostly they are: aaaaaaa#
> Fact is, no matter what your passwords rules are,
> half the people or more will choose the weakest
> password allowed. If we added lifetime I'm sure
> we'd just see 50% or our users change and change
> back. if we added history, 50% or more would just
> do aaaaaaa1 aaaaaaa2 aaaaaaa3 ...
> I strongly suspect that the more onerous the rules,
> the higher the percentage doing stuff like this.
> And then we get into sticky notes...
> John

That is the dilemma with security and it is difficult to make some
auditors understand the paradox. The more punitive one makes security
rules the more likely users will start doing things to defeat them.
The most common is the one you mentioned. If you make password rules
too severe people will start writing them down and putting then under
keyboards, phones, blotters, etc. The result is a higher security
risk then if things were just left alone. However, I don't think
requiring a maximum life, minimum length, requiring alphanumeric and
preventing reuse of a certain number of passwords fits the definition
of overly punitive. Although some users may think it comes close. :-)