Re: Cycling Passwords | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
On 22 Aug 2008 at 10:55, Karl Pearson wrote: > I'm curious on your take on systems that require changing passwords on a > set schedule, whether it's 90 days or whatever. > > When I've setup new systems, I instruct the users to select passwords that > are cryptic and follow guidelines that make them essentially impossible to > crack, such as: Ol10yzZx119xa > > Once a good password is found, why change it? I know there are a lot of > consultants who say you must, but everywhere I've been that requires > people to change passwords, I see they have written them on sticky notes > and then put them on their monitor, or bookshelf or whereever. I also see > the frustration level raise everytime they are trying to get into a system > with a customer on the phone, and they have to tell them to wait for their > session as they change their password... > > Since roughly 90% of corporate break-ins are from the inside, having to > change the passwords, and then sticking the passwords up, defeats the > security purposes for changing passwords. > > What do you think? > > Okay, I do have a reason for asking this: 1. convince me I'm wrong, and 2. > I have a client that wants it to stop, and I need to know where in Fedora > Core 6 that is setup so case I can make the change for them. > > Their FC6 system is setup so the accounts go to /sbin/nologin so they > don't have to change their password for email. But no one has shell > access, and a few need it, thus creating the need for passwords to change. > > TIA After retiring from the Army, I could not believe the password situation at the school where I started working as a computer applications teacher. I found that many of the teachers were using their spouses and kids names as passwords. Or just as bad,coaches who rotated their passwords between baseball, football, and basketball. Needless to say on more than one occasion we caught a student logged in on a teacher's computer. When I convinced the technology coordinator to have them start to use strong passwords, we discovered that most started writing them on sticky notes and attaching them to the bottom of their keyboard, and more than one, right on the side of the monitor. Their excuse was always that they were afraid they would forget that complicated password, especially over a long holiday break or summer vacation. And, we of course caught students stealing the teachers passwords and using them, again. We finally started giving classes on how to make very complicated passwords that are actually very easy to remember. For instance, take a significant name that only you know and will never forget and a significant year associated with that name. Spell the name backwards, mix in the year as every other letter, and add some punctuation to finish it out. For example my son's first pet dog was named Boomer and we got him in 1989. Absolutely no one where I work knows about the dog. That info could easily be turned into this password: r1e9m8o9o!B This makes for a nice complicated password that can easily be remembered without writing it down. After just a few slow logins most teachers quickly remember the sequence and can bang it out in just a couple of seconds. Of course we do have to remind them periodically and check to make sure they are following the new guidelines as well as teach any new teachers that are hired. Daniel A. Rachels, Sr. drachels@xxxxxxxxxxxx _______________________________________________ Redhat-install-list mailing list Redhat-install-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/redhat-install-list To Unsubscribe Go To ABOVE URL or send a message to: redhat-install-list-request@xxxxxxxxxx Subject: unsubscribe
[Home] [Red Hat Kickstart] [Fedora Users] [Red Hat General] [Red Hat Watch List] [Red Hat Development] [Samba List] [Kernel List] [Kernel Newbies] [Hot Springs] [Yosemite News]