I agree with all of this, and would add one more supporting comment, below.
> The only scenario I can think of that expiring passwords
> would likely help prevent is someone within your organization
> using another individuals account to do naughtiness, say a
> student employee using a faculty's account to change grades
> for example.
In many cases, password expiration won't even help prevent extended use of a
stolen account as its advocates claim. Why? Because many users who are
forced into frequent password changes develop very simple, obvious patterns
for cycling through passwords. If I've been using a stolen account whose
password is Spartans6 and at my next surreptitious logon it tells me the
password is invalid, what would be the logical password for me to try? How
much will you bet me that that obvious guess is going to work?
|