Ross Walker wrote:
> On Jan 20, 2011, at 9:23 AM, m.roth@xxxxxxxxx wrote:
>
>> Adam Tauno Williams wrote:
>>> On Thu, 2011-01-20 at 14:08 +0100, Giles Coochey wrote:
>>>> On 20/01/2011 13:12, Adam Tauno Williams wrote:
>>>>> On Thu, 2011-01-20 at 11:05 +0000, John Hodrien wrote:
>>>>>> An account is a personal account that should not be shared.
>> <snip>
>>> While such standards are much-maligned I actually find them useful as a
>>> tool for pushing for better security against crowds that don't like
>>> password change requirements, etc... The standards speak a language
>>> "suits" understand and to some degree believe in [or at least fear,
>>> which works well enough].
>>
>> Yeah, well, the problem is they're pushing more frequent password
>> changes, while, according the the other admin I work with, NIST only
recommends
>> every two *years*. ESPECIALLY if you do *not* have single sign-on
>> everywhere, frequent password changes, and required a lot of difference
>> between the current password and the new one, *and* not coming anywhere
>> near the last year or two's worth of passwords is worse than useless,
>> it's counterproductive, since it makes social engineering much easier,
since
>> *everyone* will be writing down their passwords.
<snip>
> The whole 90 day password change recommendation came about because it was
> calculated to be the median number of days it would take to perform a
> brute password crack on a offline copy of the password hashes given a
> sufficiently complex password standard and a high-end desktop computer.
>
> With Amazon's cloud services now I guess they'll have to cut it down to 7
> days, or require finger print or retinal eye scans...
"You have not logged on in one hour: your account is locked; please have
it unlocked, and change your password...."
mark "it's even safer if you unplug it from the network"
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
