Re: Password Complexity and Aging

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Fri, 10 Apr 2009 13:51:17 CDT, Roger Safian said:

> This is basically, IMHO, a religious debate.  There's no right or wrong answer.
> Password aging has its uses.  Password length and complexity have their uses
> as well.  The problem becomes balancing the security needs of your organization
> against the threats you face.

I have *no* problems with an organization saying "We've thought about it, and
password aging solves real and actual *current* problem XYZ for us" (for
example, if you're using that as a proxy for disabling unused accounts - which
*is* a good thing).  It's all the sites that are implementing password aging to
solve last century's issues without thinking about the *current* issues.

And yes, for many sites, "We'll never be able to sell it to the auditors" is
probably reason enough - if so, at least *try* to educate said auditors.

Far too much security these days is totally cargo-cult.

Attachment: _bin
Description: