On Thursday 30 July 2009 16:16:14 Charlot, Firmin wrote: > Hello all, > > We are re-evaluating our password requirements and wondered what others > are using on their network. > > For example: > > What is the required password length? > > Is complexity turned on? > How often do people have to change their passwords? > > Can old passwords be recycled? If so, how old must they do? > > Any other requirements that you are using that are not mentioned above > would helpful as well. > > Thanks. > > > > Firm. I tell users to make long complex passwords of 16 characters, so as to make it harder for windows pw crackers to work. I DO NOT require any systems that I run to expire passwords. It is folly to do this: make people create new passwords when they don't want to and they lose them, and far worse, post them on their monitors so they remember them. I've been to too many places when I did a lot of consulting where I saw this, and it was really scary, some of the accounts/systems that this happened on. Instead I try to get people to focus on passwords that are weird and specific to them, and won't be easily guessed. So for example the pw nittfagmtcttaitc is from the phrase "now is the time for all good men to come to the aid of their country". I ask folks to think of a stanza from a poem or a song and use some character of each word of it for some great weird looking passwords. I've always avoided using any system horrid enough to remember old passwords, and its a wretched security risk. That cache has the passwords to other accounts that people use, in all likelyhood, and if stolen represents a great security problem in and of itself. I also try and explain how dangerous "public" systems are, and how easily passwords can be sniffed, either in software, or hardware keyloggers. To help get around that problem I recommend that people bring up an editor or notepad or anything that can take text, and type one character in at the password prompt, then one or more in the editor, then the next char in the password prompt and so on, so the keylogger sees a lot of stuff where the actual pw is intermingled with other stuff. I'm sure I have more but I'm frazzled right now. --STeve Andre'