Re: Cycling Passwords

[wonderer <wonderer4711 gmx de>]

Hy,
> Once a good password is found, why change it? 
Because every password can be "suggested" (Bruteforce). If you cange a 
password continously it is much harder to bruteforce it in a manner of time.
> I know there are a lot of consultants who say you must, but everywhere 
> I've been that requires people to change passwords, I see they have 
> written them on sticky notes and then put them on their monitor, or 
> bookshelf or whereever. I also see the frustration level raise 
> everytime they are trying to get into a system with a customer on the 
> phone, and they have to tell them to wait for their session as they 
> change their password...
On the one hand there is the technical problem of changing the password. 
On the other hand you have the social problem that people are dumb 
(sorry, it is so techincaly spoken).
If you want better technical barriers to get in a system like SmartCards 
or USB Tokens then there was the problem that people losse them or other 
"social problems arround technical".
> Okay, I do have a reason for asking this: 1. convince me I'm wrong, 
> and 2. I have a client that wants it to stop, and I need to know where 
> in Fedora Core 6 that is setup so case I can make the change for them.
If you Client wants that then I would hardly suggest that he will sign a 
paper where ALL responsibilitys in case of an emergancy was fully on HIS 
side and that HE decides that to be changed.

I think it would be better to make a short (1-2h) briefing over password 
security and make ALL employees cut of this sticky notes stuff.


best regards
Henrik


P.S.: I thought since Virus-Scanners and SPAM-Attacks these days this 
very old discussions was over. I have to change my mind.