On Wed, May 17, 2006 at 11:01:04AM -0400, Chris Wolf wrote:
I agree with all of this, and would add one more supporting comment, below.
> The only scenario I can think of that expiring passwords
> would likely help prevent is someone within your organization
> using another individuals account to do naughtiness, say a
> student employee using a faculty's account to change grades
> for example.
In many cases, password expiration won't even help prevent extended use of a
stolen account as its advocates claim. Why? Because many users who are
forced into frequent password changes develop very simple, obvious patterns
for cycling through passwords. If I've been using a stolen account whose
password is Spartans6 and at my next surreptitious logon it tells me the
password is invalid, what would be the logical password for me to try? How
much will you bet me that that obvious guess is going to work?
The next password used ought to be aFh%uD)S or something secure enough to meet
stringent required complexity requirements, right? :) A user can't really be
blamed for choosing a weak password if the system allows them to do so.
|