On Jan 20, 2011, at 9:23 AM, m.roth at 5-cent.us wrote: > Adam Tauno Williams wrote: >> On Thu, 2011-01-20 at 14:08 +0100, Giles Coochey wrote: >>> On 20/01/2011 13:12, Adam Tauno Williams wrote: >>>> On Thu, 2011-01-20 at 11:05 +0000, John Hodrien wrote: >>>>> An account is a personal account that should not be shared. > <snip> >> While such standards are much-maligned I actually find them useful as a >> tool for pushing for better security against crowds that don't like >> password change requirements, etc... The standards speak a language >> "suits" understand and to some degree believe in [or at least fear, >> which works well enough]. > > Yeah, well, the problem is they're pushing more frequent password changes, > while, according the the other admin I work with, NIST only recommends > every two *years*. ESPECIALLY if you do *not* have single sign-on > everywhere, frequent password changes, and required a lot of difference > between the current password and the new one, *and* not coming anywhere > near the last year or two's worth of passwords is worse than useless, it's > counterproductive, since it makes social engineering much easier, since > *everyone* will be writing down their passwords. >> >>> I can't speak for HIPPA, SOX etc... but automatic locking is part of IT >>> best practice. > > HIPPA, and PII (Personal Information Identifier), and PHI (Personal Health > Information) is very, *very* much need-to-know *only*, and violation is > punishable by termination, and possibly criminal action. > > mark, who works for a US federal contractor with the US gov't, and > had to get a "position of trust"* clearance for the job.... > > * Which I assume entitles me to see bottom secrets, or maybe bargain > basement secrets.... <g> The whole 90 day password change recommendation came about because it was calculated to be the median number of days it would take to perform a brute password crack on a offline copy of the password hashes given a sufficiently complex password standard and a high-end desktop computer. With Amazon's cloud services now I guess they'll have to cut it down to 7 days, or require finger print or retinal eye scans... -Ross