Path: utzoo!news-server.csri.toronto.edu!rutgers!usc!rpi!uupsi!grebyn!escom!al
From: al@escom.com (Al Donaldson)
Newsgroups: comp.unix.questions
Subject: Re: password aging
Message-ID: <731@escom.com>
Date: 13 Mar 91 01:20:45 GMT
References: <1991Mar11.185411.2414@ssd.kodak.com> <15448@smoke.brl.mil>
Distribution: na
Organization: ESCOM Corp., Oakton, VA
Lines: 26

In article <15448@smoke.brl.mil>, gwyn@smoke.brl.mil (Doug Gwyn) writes:
> It is probably also worth noting that in most cases, forcing a change
> of password periodically actually reduces system security, rather than
> enhancing it as is probably the intention.  

Not to mention being a royal pain in the keester.  Few people can explain
how it works, fewer users understand it, and it just plain gets in the way 
of running a facility, let alone a secure one.

A solution I've proposed is to save the date of last password change 
in the shadow password file.  The administrator can scan this periodically
and apply social pressures to the fellow that hasn't changed his password
in the last year and a half.

>   Unless a password is
> compromised, if it was secure in the first place there is no reason
> not to stick with it.

Problem is that compromise of a password is a probabilistic thing -- the
probability of compromise (and accumulated damage) increases the longer 
one uses the same password.   

Users really should change their passwords periodically -- being forced
to do it by a machine is just not the right way.

Al