[geeks] Mandatory password changes
Phil Stracchino
phil.stracchino at speakeasy.net
Sun Dec 10 12:30:13 CST 2006
Charles Shannon Hendrix wrote:
> Sun, 10 Dec 2006 @ 09:11 -0500, John Francini said:
>
>> In a corporate setting, I can see requiring frequent password
>> changes, because nearly everything an employee can access with a
>> password is information that belongs to the company, and corporate IT
>> needs to be able to protect it as they see fit.
>
> Unfortunately, frequent password changers *ABSOLUTELY DO NOT* help
> security. In fact, it usually reduces it.
>
> The more frequently the employee has to change passwords, the weaker
> they will be, and/or the more other security problems will occur.
I entirely agree. Require every employee in the company to change their
password every 30 days, and one or more of three things will happen
depending on which of the first two you prevent:
1. 90% of the passwords in the system will be "cat", "dog", or the
ever-popular "GOD".
2. 90% of your employees will switch back and forth between the same
two passwords at 30-day intervals.
3. 90% of your employees will have their current password written on a
Post-It note on their monitor or, at best, in their desk drawer.
--
Same geek, same site, new location
Phil Stracchino Landline: 603-429-0220
phil.stracchino at speakeasy.net Mobile: 603-216-7037
Renaissance Man, Unix generalist, Perl hacker, Free Stater
More information about the geeks
mailing list