1 |
On 08/11/2010 01:30 PM, Alan McKinnon wrote: |
2 |
|
3 |
> I refuse to implement password expiration policies and have a vast array of |
4 |
> literature to back me up when some dimwit damager gets on his expiration high |
5 |
> horse. |
6 |
> |
7 |
> My users pick their own passwords - I present a list of 5 from apg and let |
8 |
> them pick one. Accounts do expire if they go unused for 90 days, but not |
9 |
> passwords. |
10 |
> |
11 |
> What put me onto this policy? I found Gartner recommending password |
12 |
> expiration. I find the best security possible is always the opposite of what |
13 |
> Gartner says. Discovering how the AD admins in the company go about their jobs |
14 |
> was the convincing straw :-) |
15 |
|
16 |
The bigger buggerboo I see is the "password complexity" [il]logic. |
17 |
There's this vapid requirement of all these different types of |
18 |
characters needed in one's password, yet the thing you really want to |
19 |
enforce is adequate entropy. If my password is an entire sentence, it |
20 |
will not be brute-forced, even if I used just ASCII A-z. There's just |
21 |
too much key space in 4.7^32. At 10^5 attempts per second, you're likely |
22 |
to find the answer in half a billion years. I hope your keyboard still |
23 |
works, let alone exists.... |