Home page logo
/

basics logo Security Basics mailing list archives

RE: passwords
From: Jeff Harris <jharris () tahongawaka nu>
Date: Wed, 19 Feb 2003 10:00:05 -0800 (PST)

If you want to be really secure, you would make the user change the
password after every use. However, that is unrealistic. You're dealing
with users, who probably aren't as aware as we are of security. Users
don't want to change their passwords often, because it breaks their
habits, so I think 90 days, from the user's point, is acceptable.

That being said, you should ensure that the new password isn't the same as
the old password, and the new password isn't the same as the old password,
except for a number at the end (password1 changes to password2, etc.). If
the passwords are strong enough, you should be OK, imho.

On Tue, 18 Feb 2003, Robert Sieber wrote:

It doesn't make sense because 90 days is too long. A password should be
changed
at least after 30 days - if they are strong enough. A cracker has 90 days
to find out the correspondig password .....

Robert

-----Original Message-----
From: ullmic6 () web de [mailto:ullmic6 () web de]
Sent: Monday, February 17, 2003 8:02 PM

Hello all,

one of the favorite subjects in my company seems to be the strength of
passwords. We force our users to change their mail password every 90 days.
Does this make sense? Why?

--
ullmic

-- 
Registered Linux user #304026.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault