Marc Samendinger schrieb:
On Tue, Aug 01, 2006 at 11:15:09AM -0400, suse@rio.vg wrote:
Badger, Shawn wrote:
The reason that you change password on a regular basis is to prevent a compromised password from being effective forever.
But is that really worthwhile? As soon as a password is compromised, the damage is done. I find the idea that an attacker is going to get a password, then wait weeks or months to use it rather odd. They're more likely to use it right away.
For an external "techy" attacker that may be true. But changing passwords regularly may help against snooping co-workers that saw you typing a password while looking over your shoulder.
Is it wortwhile? For me it's no burden to change my password from time to time. I have no problem with remembering R%anc!BhouseaL after typing it a few times. For others that don't have to remember dozens of passwords anyway it may be harder and they may write their password down and defeat your whole password policy.
I think it should be no problem for the average employee to remember two or three complicated, but often-used passwords (with the help of a little paper-scrap in their purse, for the first week, maybe). I've got lot's of passwords (mysql-root passwords, passwords to access certain websites, normal root-passwords, etc.pp.) and I have to write them down in a file on an encrypted partition - if I don't use use them for some time, I just forget them. Those that I use often, I can remember usually well (I sometimes just remember the keys I have to type, but couldn't spell the password if I was asked for it) but the others... If you have lot's of people who refuse to learn a 8- or 10-digit apg-password (or claim that they "can't memorize it"), I'd say chances are good the same people would tell somebody on the phone claiming to be "Joe Bloggs from IT" their current password - regardless of how complicated it was. I'd even go as far as saying that some of those might read the numbers from a RSA two-factor key to someone on the phone, if (s)he was convincing enough. So, we're down to a social problem again: if people literally switch-off their brains during work, no technical hurdle will prevent them from doing something stupid. Social problems have no technical (or even judicial) solution. cheers, Rainer