Ross Walker wrote: > On Jan 20, 2011, at 9:23 AM, m.roth at 5-cent.us wrote: > >> Adam Tauno Williams wrote: >>> On Thu, 2011-01-20 at 14:08 +0100, Giles Coochey wrote: >>>> On 20/01/2011 13:12, Adam Tauno Williams wrote: >>>>> On Thu, 2011-01-20 at 11:05 +0000, John Hodrien wrote: >>>>>> An account is a personal account that should not be shared. >> <snip> >>> While such standards are much-maligned I actually find them useful as a >>> tool for pushing for better security against crowds that don't like >>> password change requirements, etc... The standards speak a language >>> "suits" understand and to some degree believe in [or at least fear, >>> which works well enough]. >> >> Yeah, well, the problem is they're pushing more frequent password >> changes, while, according the the other admin I work with, NIST only recommends >> every two *years*. ESPECIALLY if you do *not* have single sign-on >> everywhere, frequent password changes, and required a lot of difference >> between the current password and the new one, *and* not coming anywhere >> near the last year or two's worth of passwords is worse than useless, >> it's counterproductive, since it makes social engineering much easier, since >> *everyone* will be writing down their passwords. <snip> > The whole 90 day password change recommendation came about because it was > calculated to be the median number of days it would take to perform a > brute password crack on a offline copy of the password hashes given a > sufficiently complex password standard and a high-end desktop computer. > > With Amazon's cloud services now I guess they'll have to cut it down to 7 > days, or require finger print or retinal eye scans... "You have not logged on in one hour: your account is locked; please have it unlocked, and change your password...." mark "it's even safer if you unplug it from the network"