Forcing password change on new users...

[Christopher Browne]

> On Thu, 13 Jan 2005, Lennart Sorensen wrote:
> > Or you configure pam to enforce certain rules on minimum length, mixed
> > numbers, symbols, letters, etc.  Pam can even run a cracklib pass on the
> > password before deciding if it is good enough.
> 
> The downside of this is that the harder you make it for people to choose
> memorable passwords that satisfy the rules, the more certain it is that
> when they finally get a password accepted, they will (a) write it down,
> and (b) use minor variations on it thereafter instead of making up new
> ones.  Both of those practices are distinctly detrimental to security. 

I just got forced into a password change yesterday on AIX, and
discovered that I wasn't permitted to have more than 2 characters of my
password be the same as the old one.

I'm not quite sure how someone would come up with a "minor" variation on
that.  I know people that probably still use that strategy for the
passwords they update every 45 days.

I, of course, used automation for this; I have a password generator
integrated into JPilot's keyring plugin, and this does an eminently nice
job of generating implausibly difficult to guess passwords.  And syncs
them, in encrypted form, onto my Palm.  It's on a "post-it," albeit one
that uses 3-DES...

> "If you make it too hard to unlock the door, people *will* prop it
> open."
> 
> Sometimes maximum *real* security comes at a point well short of
> maximum *theoretical* security.  It's important to understand the
> difference.

Indeed.
--
"cbbrowne","@","linuxfinances.info"
http://www3.sympatico.ca/cbbrowne/linux.html
If at first you don't succeed, then you didn't do it right!
If at first you don't succeed, then skydiving definitely isn't for you. 
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml