[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] password memory

Ashley Gould wrote:
> The managers are discussing password requirements.  One desire is
> to disallow previously used passwords with memory of up to ten 
> passwords used.  Is there a sweet and simple way to implement this in
> SLES9/10?  I don't see a pam module with this facility.

Others have pointed out the technical methods, but honestly, I would
suggest to you that policy is unwise.  Security is as much a human issue
as technical.  In my experience, forcing people to keep changing
passwords has one single effect: People will write them down.  I would
much prefer for someone to have a password they can remember that never
changes than having passwords written all over postit notes.

Think about what you gain from changing passwords and measure it against
what you lose by having passwords written down all over the place.

The problem is password leakage.  If a password falls into the wrong
hands, your security is breached.  But what causes passwords to fall
into the wrong hands?  What about changing passwords at intervals will
prevent leakage?  Not much.  Think about it.  Nearly all avenues of
password leakage are current, so changing it every month or 3 months is
really irrelevant. As soon as the perp has the password, he's in and the
damage is done.  Changing the password next month won't do any good.
Dictionary attacks and whatnot are equally irrelevant to password
changes, they don't take a month to perform, so the chances of you
changing your password in mid-attack are unlikely.

Making your users' lives simpler has a much greater beneficial effect on
security.  The more hoops they have to jump through, the greater the
chance that they will simply circumvent the procedure.

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here