Re: minimum number of days between password change
- From: Ron Johnson <ron.l.johnson@xxxxxxx>
- Date: Mon, 01 Nov 2010 18:29:03 -0500
On 11/01/2010 04:45 PM, Jesús M. Navarro wrote:
Hi, Ron:
On Monday 01 November 2010 18:49:01 Ron Johnson wrote:
[...]
If someone learns my password on day 2, they have full access to my
account for 74 days, or I must beg for SysAdmin help?
"Minimum number of days" isn't a very bright idea.
It is, for a low minimum number.
The rationale is to avoid the user reusing passwords: Ok, so my password is
12345678 and I must change it now? Let's do it: 87654321; but immediately I
change back again.
The way to do it is to have a record in your password db of the hashes of each user's last N passwords.
So if the minimum change time is about a week, it takes about the same effort
to learn the new password than to change it back.
You're Doing It Wrong if you use "minimum days" to avoid password reuse.
--
Seek truth from facts.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/4CCF4D3F.3000603@xxxxxxx
- Follow-Ups:
- Re: minimum number of days between password change
- From: lee
- Re: minimum number of days between password change
- From: Jesús M. Navarro
- Re: minimum number of days between password change
- References:
- minimum number of days between password change
- From: Lukas Baxa
- Re: minimum number of days between password change
- From: Ron Johnson
- Re: minimum number of days between password change
- From: Jesús M. Navarro
- minimum number of days between password change
- Prev by Date: Re: OpenOffice and the GTK file dialog box
- Next by Date: Re: Size of minimal Debian installation
- Previous by thread: Re: minimum number of days between password change
- Next by thread: Re: minimum number of days between password change
- Index(es):
Relevant Pages
|
