Frank Cox wrote: > On Mon, 28 Jan 2008 22:36:03 -0500 > Jim Perrin <jperrin at gmail.com> wrote: > >> And above all, because I know many admins slack on this, and I'm >> guilty of it as well if it's not forced... ROTATE your passwords >> periodically > > I have never understood this. If I have a good, strong password that nobody > knows, how is changing it to another one an improvement over what I already > have? > I agree with you. A company I worked for required rotation of passwords and strong passwords. We fired one of the sysadmins because he had a problem coming in to work late. Take a wild guess at what we found taped to the bottom of his keyboard. Requiring password rotation increases the occurrences of that issue. Rotating passwords IMHO should only be done when their is a possibility that the shadow file has been compromised or an employee with root access is dismissed on bad terms. A better thing to do is disable remote root login, be extremely careful with sudo (it should not be allowed to spawn a shell for any user), and log to a log server rather than local filesystem.