IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Yeabut requiring frequent changes makes it worse.
A reasonably complex password is required, but realistically it's probably necessary - in addition - to have an audit policy in place. Is there suspicious usage of accounts? Are account being used in new and unexplained ways?

I don't know how you'd do that in an automated fashion that would be smart enough to catch unusual usage. I expect that few companies would be willing to dedicate a person or more to watching account activity.

Maybe an additional statement like: "All activity on the corporate computers may be logged. You are responsible for the security of your account. Treat it like your Social Security number..." would help people to take passwords seriously.

IMO, having a reasonably complex password that people can remember is much more important than changing them every 30 days. If they're complex and frequently change, then people will make cheat sheets. If things are audited, then I think yearly password changes are more than sufficient (and/or requiring changes when people leave).

Cards or fingerprint readers is probably much more secure than complex, frequently changed passwords, given human nature.

My $0.02.

Cheers,
Scott.
New As I said before
I would prefer complex passwords with a lengthy expiration. I am constrained by corporate policy in this matter and can only relay to my users the requirements.
-----------------------------------------
"In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican."
-- H. L. Mencken

Support our troops, Impeach Bush.
D. D. Richards
New Understood. :-)
     Password policy letter - (Silverlock) - (29)
         Disagree about the expiration - (hnick) - (22)
             "feel free to adapt" - (Silverlock) - (21)
                 Re: "feel free to adapt" - (Yendor) - (19)
                     Are you sure about that? - (Silverlock) - (18)
                         Let's say I'm a bad guy - (Yendor) - (17)
                             On the other hand - (JayMehaffey)
                             Account locked after 5 bad passwords - (Silverlock)
                             You are an *incompetent* bad guy - (ben_tilly) - (3)
                                 Granted... - (Yendor) - (2)
                                     Disagree - (Silverlock)
                                     But not enough to be even remotely useful -NT - (ben_tilly)
                             Re: Let's say I'm a bad guy - (dws) - (10)
                                 BINGO! - (hnick)
                                 Yep, during security audit at gov agency I worked at - (tuberculosis)
                                 What's the alternative? - (Silverlock) - (6)
                                     Yeabut requiring frequent changes makes it worse. - (Another Scott) - (2)
                                         As I said before - (Silverlock) - (1)
                                             Understood. :-) -NT - (Another Scott)
                                     single signon with a 90 day passwd expiration - (boxley) - (2)
                                         Single signon is a happy dream - (Silverlock) - (1)
                                             Problem with SSO - (jbrabeck)
                                 Pretty much everyone will write it down anyways - (admin)
                 Make the expiration longer than that. - (ben_tilly)
         I, like it! Me being the password Nazi at work - (folkert)
         And here - (jbrabeck)
         Make 'em use Unicode. - (Another Scott) - (1)
             We've been looking at several alternatives - (Silverlock)
         Apart from the fact that passwords suck - (pwhysall)
         Bit of a late reply... - (static)

Actually about a funicular railway!
80 ms