 |
 |
On Wed, May 17, 2006 at 11:01:04AM -0400, Chris Wolf wrote: I agree with all of this, and would add one more supporting comment, below. > The only scenario I can think of that expiring passwords > would likely help prevent is someone within your organization > using another individuals account to do naughtiness, say a > student employee using a faculty's account to change grades > for example. In many cases, password expiration won't even help prevent extended use of a stolen account as its advocates claim. Why? Because many users who are forced into frequent password changes develop very simple, obvious patterns for cycling through passwords. If I've been using a stolen account whose password is Spartans6 and at my next surreptitious logon it tells me the password is invalid, what would be the logical password for me to try? How much will you bet me that that obvious guess is going to work? The next password used ought to be aFh%uD)S or something secure enough to meet stringent required complexity requirements, right? :) A user can't really be blamed for choosing a weak password if the system allows them to do so.