Hey,

On Thu, 29 Aug 2002, Florin Iucha wrote:

> > Simple example. Mandatory password aging. Every 30 days you expire all passwords
> > and force the user to choose a new, non-dictionary, not-used-before password.
> > Gonna have a change, every 30 days.
> Do you know what will this guarantee? That in less than 30 seconds by
> looking under the monitor, under the desk and the top drawer you will find
> the post-it with the last 5 passwords.

If someone has physical access, you're screwed anyway. Give me physical
access to any machine and I'm more than likely going to be able to get
your data, be it by boot linux init=/bin/sh, by booting Solaris from my
own CDROM or by ripping the drives out of your machine and then doing data
recovery at my leisure.

> Bob, when was the last time you changed you house keys?

When I moved in, and WHENEVER I LOSE A KEY. Furthermore, I am NOT doing
the postit-equivalent - I don't hide a spare key under the rug, nor
anywhere else! I also have home insurance.

I think what Bob was trying to say is it'd be NICE from a security
standpoint to force password aging and facist-checking of new passwords,
but you'll get massive user resistance and likely won't get it
implemented. Heck, it'd be nice to make everyone use some kind of SecureID
token, too, but good luck convincing Mr Computer Illiterate CEO of that.

But I guess that's what consultants are for.


-Yaron

--