Hey, On Thu, 29 Aug 2002, Florin Iucha wrote: > > Simple example. Mandatory password aging. Every 30 days you expire all passwords > > and force the user to choose a new, non-dictionary, not-used-before password. > > Gonna have a change, every 30 days. > Do you know what will this guarantee? That in less than 30 seconds by > looking under the monitor, under the desk and the top drawer you will find > the post-it with the last 5 passwords. If someone has physical access, you're screwed anyway. Give me physical access to any machine and I'm more than likely going to be able to get your data, be it by boot linux init=/bin/sh, by booting Solaris from my own CDROM or by ripping the drives out of your machine and then doing data recovery at my leisure. > Bob, when was the last time you changed you house keys? When I moved in, and WHENEVER I LOSE A KEY. Furthermore, I am NOT doing the postit-equivalent - I don't hide a spare key under the rug, nor anywhere else! I also have home insurance. I think what Bob was trying to say is it'd be NICE from a security standpoint to force password aging and facist-checking of new passwords, but you'll get massive user resistance and likely won't get it implemented. Heck, it'd be nice to make everyone use some kind of SecureID token, too, but good luck convincing Mr Computer Illiterate CEO of that. But I guess that's what consultants are for. -Yaron --