Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sdd.hp.com!spool.mu.edu!cs.umn.edu!talon.UCS.ORST.EDU!usenet!ogicse!intelhf!ichips!iwarp.intel.com!gargoyle!chinet!les
From: les@chinet.chi.il.us (Leslie Mikesell)
Newsgroups: comp.misc
Subject: Re: (In)security of passwords
Keywords: security password
Message-ID: <1991Mar26.191052.4620@chinet.chi.il.us>
Date: 26 Mar 91 19:10:52 GMT
Article-I.D.: chinet.1991Mar26.191052.4620
References: <1097@gtenmc.UUCP>
Organization: Chinet - Chicago Public Access UNIX
Lines: 22

In article <1097@gtenmc.UUCP> joe@gtenmc.UUCP (Joe Kelsey) writes:
>GTE Corporate auditors are currently on a rampage around the company,
>essentially forcing all computer system managers to implement password
>expiration.  I am personally convinced that the auditors are misguided and
>believe that password expiration systems are actually *less* secure than other
>forms of security.

>My question is, are there any studies that can back up my feelings here.

I can't help with a real reference, but every time I'm confronted with
a "password expired" message I change it to a fairly predictable combination
of four-letter words.

Also, if you have uucp connections, expiring those passwords can do
wonders for your neighbors phone bills as they persist with the
retries on the failing logins.  AT&T's '386 unix sets up passwords
to expire by default, including those for uucp if you use their
menu-driven administration.  Hmmm, AT&T, now GTE... Is there a
conspiracy here to waste time on the phone lines?

Les Mikesell
  les@chinet.chi.il.us