David Thompson wrote: > "Michael A. Peters" wrote: >>> I have never understood this. If I have a good, strong password that nobody >>> knows, how is changing it to another one an improvement over what I already >>> have? >> I agree with you. > > For user accounts, changing one strong password for another gains you nothing, > and may cause people to start writing things down, or choosing trivial > passwords which still meet the password strength criteria, or whatever, > actually weakening security. > > However, if you have admins who come into or leave employment, changing > privileged account passwords (read: root or equiv) is a necessary activity. > I disagree with this too, changing one strong password for another gains you plenty if someone has compromised the initial one. The purpose of changing strong passwords is so that if someone has been fortunate enough to use some kind of method to get a password, they loose access again after the new password change and have to start over at the beginning to get back in. This gains you plenty if someone who is unauthorized losses access. If you are dealing with regular users, Bill will give Ted a password for one item when Bill goes on vacation since it is much easier than getting the IT weenies to change the access that Ted has ... besides he only needs to login one time while Bill is on vacation. However, if Bill never has to change his password then Ted has Bill's access forever. Then of course there is the brute force guessing, etc. Changing passwords at regular intervals is more secure than keeping the same passwords. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20080129/2a135835/attachment-0005.sig>