atom feed8 messages in org.freebsd.freebsd-securityRe: Freebsd auto locking users
FromSent OnAttachments
Khachatur ShahinyanSep 12, 2008 10:42 pm 
Toby BurressSep 12, 2008 11:35 pm 
Jon PasskiSep 13, 2008 6:48 am 
moussSep 13, 2008 1:46 pm 
Robert WatsonSep 14, 2008 3:12 am 
Micheas HermanSep 14, 2008 3:28 am 
moussSep 14, 2008 4:04 am 
Khachatur ShahinyanSep 15, 2008 11:30 pm 
Subject:Re: Freebsd auto locking users
From:Robert Watson (rwat@FreeBSD.org)
Date:Sep 14, 2008 3:12:46 am
List:org.freebsd.freebsd-security

On Sat, 13 Sep 2008, mouss wrote:

A quick search doesn't show me any port for enforcing password age. For what it's worth, I once emailed Bruce Schneier about the effectiveness of that and he said he never changed his passwords (based on age, anyway). But there's probably something.

Given that it's not easy to select a good password (both strong and easy to remember), password expiration sometimes result in weak passwords or in forgotten ones. or if no measure is taken against, people change to old ones.

http://www.cryptosmith.com/sanity/expharmful.html http://www.rsa.com/blog/blog_entry.aspx?id=1286 http://www.cerias.purdue.edu/site/blog/post/password-change-myths/P50/

and the other side has its proponents of course:

http://lopsa.org/node/29

While these complaints about password expiration are certainly true, it seems like a common policy required by many sites, and failing to be able to support that policy will limit our ability to run at those sites. It would be nice if we could complete the implementation of some of those password-related policies.

Robert N M Watson Computer Laboratory University of Cambridge