[clug] Re: linux Digest, Vol 78, Issue 53
Paul Matthews
plm at netspace.net.au
Sat Jun 20 02:32:36 GMT 2009
>>> Heck, recently a group of very, very technical people I was around had a
>>> discussion about a password system that required a password change every week,
>>> no reuse for 128 passwords[1], minimum length above 20 characters, characters
>>> from all the standard classes[2], no dictionary words, and no more than three
>>> characters in sequence from any one class.
>>>
>>> Which was *still* vulnerable to a fairly trivial "rotate the number" guessable
>>> sequence of passwords, and which still left plenty of other risks.
>>>
>>>
>> I'd have to hunt a bit to re-dig it up. But some researchers in the UK
>> did a study on password lengths/time to change them and so on. Was a few
>> years ago now. ~ 2000-2005 time frame.
>>
>>
The password restrictions above are simply ludicrous. At the moment more
than half of the technical staff at work, including the executive, are
witting their passwords on sticky notes attached to their screens. And
minimum password length is only 8. The only passwords not written on
sticky notes are the ones that are *not* rotated.
More information about the linux
mailing list