On Fri, 2009-06-12 at 13:26 -0700, Eric Smith wrote:
Daniel Seagraves wrote:
(In reality however, I am most likely giving up
my password expiration
policy. The users are complaining to the owner about having to change
their password every 60 days, and the owner has told me if they
continue to complain the policy will be abolished
In my opinion, having a password
expiration policy with such a short
period is counterproductive. It will cause the users to be more sloppy
with their passwords in various ways, including leaving the passwords
written down in places they can easily be found. It will also make
users favor weaker, more easily guessed passwords, even if the system
sets minimum requirements; users are more willing to memorize a stronger
password if they're going to use it for a fairly long time.
When I worked at IBM a couple of years ago (doing rather dull tech
support stuff) I worked out that the password rules (something like
"eight to ten characters, two to four upper-case letters and two to four
digits not in the first, second, second-to-last or last position")
yielded about 1000 valid passwords...
Gordon