Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!ncar!gatech!uflorida!travis!hrshcx!steved From: steved@hrshcx.csd.harris.com (Steve Daukas) Newsgroups: comp.misc Subject: Re: (In)security of passwords Keywords: security password Message-ID: <1046@hrshcx.csd.harris.com> Date: 28 Mar 91 17:38:55 GMT References: <1097@gtenmc.UUCP> <1991Mar26.191052.4620@chinet.chi.il.us> Organization: Harris Computer Systems - Fort Lauderdale, Fl. Lines: 45 In article <1991Mar26.191052.4620@chinet.chi.il.us>, les@chinet.chi.il.us (Leslie Mikesell) writes: >In article <1097@gtenmc.UUCP> joe@gtenmc.UUCP (Joe Kelsey) writes: >>GTE Corporate auditors are currently on a rampage around the company, >>essentially forcing all computer system managers to implement password >>expiration. I am personally convinced that the auditors are misguided and >>believe that password expiration systems are actually *less* secure than other >>forms of security. > I can't help with a real reference, but every time I'm confronted with > a "password expired" message I change it to a fairly predictable combination > of four-letter words. > > Also, if you have uucp connections, expiring those passwords can do > wonders for your neighbors phone bills as they persist with the I have worked at several places where password expiration was the norm. In just about every case, one of three things happened: 1) the user enters the new password, and then changes it back asap; 2) the user has two passwords that are toggled between; 3) in the case of computer generated passwords, many post-it notes can be seen either on the terminal itself, desktop, inside a drawer, etc. In any case, little changes. Security is probably not increased unless an actual secure environment is maintained, including system/user accounting techniques et. al.. As far as uucp, I don't think you want to expire a uucp entry. You would have many problems if you did, and a PR problem with those trying to send mail your way. I have seen "upline" mail paths simply delete the offending entry and wait for the deleted node to call and ask whats going on... Then it becomes obvious that expiration of communication passwords is the wrong answer. One could argue that this could be managed. My opinion is that in managing this issue, your uucp passwords (or equiv) would end up being known to more people than it should. Steve -- .-------------------..---------------------------. | Stephen C. Daukas || sdaukas@csd.harris.com | | (617) 221-1834 || uunet!travis!misg!sdaukas | `-------------------'`---------------------------'