[geeks] Mandatory password changes
Sridhar Ayengar
ploopster at gmail.com
Mon Dec 11 01:24:01 CST 2006
Phil Stracchino wrote:
> Charles Shannon Hendrix wrote:
>> Sun, 10 Dec 2006 @ 09:11 -0500, John Francini said:
>>
>>> In a corporate setting, I can see requiring frequent password
>>> changes, because nearly everything an employee can access with a
>>> password is information that belongs to the company, and corporate IT
>>> needs to be able to protect it as they see fit.
>> Unfortunately, frequent password changers *ABSOLUTELY DO NOT* help
>> security. In fact, it usually reduces it.
>>
>> The more frequently the employee has to change passwords, the weaker
>> they will be, and/or the more other security problems will occur.
>
> I entirely agree. Require every employee in the company to change their
> password every 30 days, and one or more of three things will happen
> depending on which of the first two you prevent:
>
> 1. 90% of the passwords in the system will be "cat", "dog", or the
> ever-popular "GOD".
>
> 2. 90% of your employees will switch back and forth between the same
> two passwords at 30-day intervals.
>
> 3. 90% of your employees will have their current password written on a
> Post-It note on their monitor or, at best, in their desk drawer.
4. Employees will cycle through a set of random passwords and use the
same password over and over again to get around restrictions on repeated
passwords.
Peace... Sridhar
More information about the geeks
mailing list