Re[2]: password aging

[Steve.Bleazard () wdr com]

     One alternative to password aging, is to force everyone to use a 
     password generator.  FIPS181 from the US government describes (and 
     implements) such a generator.  I have found the FIPS181 algorithm 
     generates good pronouncable passwords.  They are also far less 
     susceptible to social engineering.
     
     Using password generators has many problems in itself, not least of 
     which is the tendency for people to write the password down.  However, 
     if security demands good password aging and system wide password 
     re-use detection, then the local policies can be enforced to deal with 
     this and a generator is a viable alternative.
     
     Steve


______________________________ Reply Separator _________________________________
Subject: Re: password aging
Author:  jsdy (jsdy () cospo osis gov) at unix/o2=mime
Date:    9/1/98 8:58 PM


> This is true.  It's also "standard" practice...One of the goals of my group
> is to _reduce_ the number of calls
> to the help-desk.  Please keep in mind that this is only a _proposed_
> change, and it hasn't been approvee yet.

If reducing calls is a goal, why increase them by not telling the user
why the password is rejected?  ;-)

> Scalability is an issue.  We're talking about (at least) a 128 bit
> keyspace.

The ARGUMENT doesn't scale perfectly.  Analogies rarely do.  I believe
that a system-wide old-password database is still not the wisest
choice.

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO Computer Support                                          EMT-A/B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.