Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!rutgers!bellcore!faline!thumper!gamma!pyuxp!nvuxj!nvuxr!jgn
From: jgn@nvuxr.UUCP (Joe Niederberger)
Newsgroups: comp.unix.questions
Subject: Re: Need help with password aging
Message-ID: <1020@nvuxr.UUCP>
Date: 21 Mar 89 14:32:21 GMT
References: <179@camdev.UUCP> <9059@alice.UUCP>
Reply-To: jgn@nvuxr.UUCP (22115-Joe Niederberger)
Distribution: na
Organization: Bell Communications Research
Lines: 35

In article <9059@alice.UUCP> ark@alice.UUCP (Andrew Koenig) writes:
>In article <179@camdev.UUCP>, sscott@camdev.UUCP (Steve Scott) writes:
>
>> As a major security overhaul within my company, the issue of password aging
>> has raised its head.  So, I am in need of advice on how to implement such.
>
>It is far from clear to me that password aging accomplishes much.
>Its usual effect is to cause people to toggle between two similar
>passwords.  I don't believe for an instant that such toggling
>will make passwords any harder to guess, break, or acquire.
>
 
It seems to me that the next logical step would be to force the user
to invent totally new passwords (relative to his/herself of course)
at each password change. But then, wouldn't the effect be to
exacerbate the existing tendency of users to choose easily remembered
passwords, which themselves present a security risk ? Does anybody
have any statistical evidence that forcing password changes actually
enhances security ?

x
x
x
x
x
x
x
x
x
x
x
x
x
x
Joe Niederberger