[148104] in North American Network Operators' Group
Re: AD and enforced password policies
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Jan 3 09:23:29 2012
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <A2DFB87C-78E7-4016-A19B-A55D97E2A9CC@cs.columbia.edu>
Date: Tue, 3 Jan 2012 09:22:31 -0500
To: Steven Bellovin <smb@cs.columbia.edu>
Cc: "Nanog@nanog.org" <Nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 2, 2012, at 8:45 PM, Steven Bellovin wrote:
> Minimum Length : 8
> Maximum Length : 12
> Maximum Repeated Characters : 2
> Minimum Alphabetic Characters Required : 1
> Minimum Numeric Characters Required : 1
> Starts with a Numeric Character
> No User Name
> No past passwords
> At least one character must be =
~!@#$%^&*()-_+\verb!+=3D{}[]\|;:/?.,<>"'`!
One site I saw would break when you exceeded the maximum length but =
silently accept it. Making the users jump through sufficient hoops to =
generate a password and keep it for the sake of "security" only serve to =
weaken the resolve of users and complexity of passwords used.
Dare I say, if a password system is too cumbersome I may reject them as =
an employer at some point out of frustration, or just call the help desk =
daily to reset the password.
back to the OP question. I've used the Quest system as a user and found =
it useful. Having this outside any VPN for your remote users is very =
helpful.
- Jared=
