On Wed, Aug 11, 2010 at 4:09 PM, Alan McKinnon wrote: > On Thursday 12 August 2010 00:11:12 Bill Longman wrote: > > On 08/11/2010 01:30 PM, Alan McKinnon wrote: > > > I refuse to implement password expiration policies and have a vast > array > > > of literature to back me up when some dimwit damager gets on his > > > expiration high horse. > > > > > > My users pick their own passwords - I present a list of 5 from apg and > > > let them pick one. Accounts do expire if they go unused for 90 days, > but > > > not passwords. > > > > > > What put me onto this policy? I found Gartner recommending password > > > expiration. I find the best security possible is always the opposite of > > > what Gartner says. Discovering how the AD admins in the company go > about > > > their jobs was the convincing straw :-) > > > > The bigger buggerboo I see is the "password complexity" [il]logic. > > There's this vapid requirement of all these different types of > > characters needed in one's password, yet the thing you really want to > > enforce is adequate entropy. If my password is an entire sentence, it > > will not be brute-forced, even if I used just ASCII A-z. There's just > > too much key space in 4.7^32. At 10^5 attempts per second, you're likely > > to find the answer in half a billion years. I hope your keyboard still > > works, let alone exists.... > > Your reasoning makes sense, until you consider password length limits > imposed > by machines. > > Cisco routers authenticating via Tacacs for instance often support nothing > more than DES hashing . The hash routines accept up to 10 characters > for > a password but only use the first 8 to calculate the hash. > > There are Solaris version nowhere near EOL yet that have similar limits. > > All this makes my life as a system integrator cum authenticate go-to guy > very > tricky indeed. Luckily management tends to say "Just do what Alan says. It > makes him shut up and go away". > > :-) > > p.s. dig the use of "vapid". Wonderful word, truly splendid. Communicates > in 5 > letters something that takes paragraphs any other way. I shall make a note > for > future use. > > -- > alan dot mckinnon at gmail dot com > > Absolutely. If you do not change your ENCRYPT_METHOD or your PASS_MAX_LEN in your login.defs file and are still relying on the back end's ability to safely store your passwords in DES format, well, you're in trouble.