--===_-1_Tue_Jun__4_14:39:40_EDT_1996 Content-Type: text/plain; charset=us-ascii On Tue, 04 Jun 1996 10:12:13 BST, you said: > Is this not desirable? The longer they keep that good password, the worse it > gets. Make them choose another good password! You know, this is taken as an article of faith, but some days I'm not so sure. Yes, the longer you use a password, the higher the chance that it gets compromised - but notice that if you *change* the password, you have a chance of being compromised immediately. Most of the current attacks on passwords (sniffers, crack programs, et al) are equally effective whether the password is 2 minutes old or 2 years old. I'd have to chunk out the statistics to be sure, but I have a feeling that unless you set <max password lifetime> to be in the same range as <time to run CRACK>, it doesn't really help matters any. The only thing you're REALLY doing is changing the amount of time the hacker can *USE* the password. And let's face it - once the hacker HAS the password, he'll probably install a backdoor that it doesn't MATTER if you expire his password. This leads to the conclusion that what you *REALLY* want to do is: 1) Make sure you use Kerberos or other network authentication so you never send it in cleartext... 2) *LET* the damn password be the same for years and years - *AFTER* you've made sure that it's a Really Really Good password. 3) Remember that if you make them change it once a month, the average quality will decay.... "Damn, it's that time again...". -- Valdis Kletnieks Computer Systems Engineer Virginia Tech --===_-1_Tue_Jun__4_14:39:40_EDT_1996 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.1 iQCVAwUBMbSC6tQBOOoptg9JAQHJ4wP/Yl8+D7d1BbIiK7RMd/y5K7/EScIZuVBA KfRiBx2kYqHjApoGhiGLytHiExOa4eOFhRo4A2nuBgJTcPpgasesvclup++pQjAo 3ZryH2/m2qFUBbXHM4BUblThhc6L0Ide8ye3y2iESVFxgJRa7Kv1iH7/kGAe0Icj VQVKwqdBIUw= =0Glb -----END PGP MESSAGE----- --===_-1_Tue_Jun__4_14:39:40_EDT_1996--