On Thursday 12 August 2010 00:11:12 Bill Longman wrote:
> On 08/11/2010 01:30 PM, Alan McKinnon wrote:
> > I refuse to implement password expiration policies and have a vast array
> > of literature to back me up when some dimwit damager gets on his
> > expiration high horse.
> >
> > My users pick their own passwords - I present a list of 5 from apg and
> > let them pick one. Accounts do expire if they go unused for 90 days, but
> > not passwords.
> >
> > What put me onto this policy? I found Gartner recommending password
> > expiration. I find the best security possible is always the opposite of
> > what Gartner says. Discovering how the AD admins in the company go about
> > their jobs was the convincing straw :-)
>
> The bigger buggerboo I see is the "password complexity" [il]logic.
> There's this vapid requirement of all these different types of
> characters needed in one's password, yet the thing you really want to
> enforce is adequate entropy. If my password is an entire sentence, it
> will not be brute-forced, even if I used just ASCII A-z. There's just
> too much key space in 4.7^32. At 10^5 attempts per second, you're likely
> to find the answer in half a billion years. I hope your keyboard still
> works, let alone exists....

Your reasoning makes sense, until you consider password length limits imposed
by machines.

Cisco routers authenticating via Tacacs for instance often support nothing
more than DES hashing <yuck>. The hash routines accept up to 10 characters for
a password but only use the first 8 to calculate the hash.

There are Solaris version nowhere near EOL yet that have similar limits.

All this makes my life as a system integrator cum authenticate go-to guy very
tricky indeed. Luckily management tends to say "Just do what Alan says. It
makes him shut up and go away".

:-)

p.s. dig the use of "vapid". Wonderful word, truly splendid. Communicates in 5
letters something that takes paragraphs any other way. I shall make a note for
future use.

--
alan dot mckinnon at gmail dot com