Forcing password change on new users...

[Henry Spencer]

On Thu, 13 Jan 2005, Christopher Browne wrote:
> > and (b) use minor variations on it thereafter instead of making up new
> > ones.  Both of those practices are distinctly detrimental to security. 
> 
> I just got forced into a password change yesterday on AIX, and
> discovered that I wasn't permitted to have more than 2 characters of my
> password be the same as the old one.
> I'm not quite sure how someone would come up with a "minor" variation on
> that...

Oh, any number of ways -- they just get creative at higher levels.  For 
example, rotate through the names of the seven dwarfs (perturbed enough
to satisfy criteria about nonalphanumeric characters etc.).

                                                          Henry Spencer
                                                       henry-lqW1N6Cllo0sV2N9l4h3zg at public.gmane.org

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml