A quick search doesn't show me any port for enforcing password age. For
what it's worth, I once emailed Bruce Schneier about the effectiveness of
that and he said he never changed his passwords (based on age, anyway).
But there's probably something.
Given that it's not easy to select a good password (both strong and easy to
remember), password expiration sometimes result in weak passwords or in
forgotten ones. or if no measure is taken against, people change to old
While these complaints about password expiration are certainly true, it seems
like a common policy required by many sites, and failing to be able to support
that policy will limit our ability to run at those sites. It would be nice if
we could complete the implementation of some of those password-related
Robert N M Watson
University of Cambridge