From owner-freebsd-security@FreeBSD.ORG  Sun Sep 14 10:12:47 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 19C661065675
	for <freebsd-security@freebsd.org>;
	Sun, 14 Sep 2008 10:12:47 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (unknown [65.122.17.42])
	by mx1.freebsd.org (Postfix) with ESMTP id DEF008FC1C
	for <freebsd-security@freebsd.org>;
	Sun, 14 Sep 2008 10:12:46 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41])
	by cyrus.watson.org (Postfix) with ESMTP id 882B246B23;
	Sun, 14 Sep 2008 06:12:46 -0400 (EDT)
Date: Sun, 14 Sep 2008 11:12:46 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: mouss <mouss@netoyen.net>
In-Reply-To: <48CC26A7.6020407@netoyen.net>
Message-ID: <alpine.BSF.1.10.0809141111230.72448@fledge.watson.org>
References: <48CB52AE.6070501@arca.am>
	<20080913063522.GA3784@lithium.delete.org>
	<48CC26A7.6020407@netoyen.net>
User-Agent: Alpine 1.10 (BSF 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-security@freebsd.org,
	Khachatur Shahinyan <khachatur.shahinyan@arca.am>,
	Toby Burress <kurin@delete.org>
Subject: Re: Freebsd auto locking users
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Sep 2008 10:12:47 -0000

On Sat, 13 Sep 2008, mouss wrote:

>> A quick search doesn't show me any port for enforcing password age. For 
>> what it's worth, I once emailed Bruce Schneier about the effectiveness of 
>> that and he said he never changed his passwords (based on age, anyway). 
>> But there's probably something.
>
> Given that it's not easy to select a good password (both strong and easy to 
> remember), password expiration sometimes result in weak passwords or in 
> forgotten ones. or if no measure is taken against, people change to old 
> ones.
>
> http://www.cryptosmith.com/sanity/expharmful.html 
> http://www.rsa.com/blog/blog_entry.aspx?id=1286 
> http://www.cerias.purdue.edu/site/blog/post/password-change-myths/P50/
>
> and the other side has its proponents of course:
>
> http://lopsa.org/node/29

While these complaints about password expiration are certainly true, it seems 
like a common policy required by many sites, and failing to be able to support 
that policy will limit our ability to run at those sites.  It would be nice if 
we could complete the implementation of some of those password-related 
policies.

Robert N M Watson
Computer Laboratory
University of Cambridge