[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal for 1.3: Password expiration



However, I would still like to make admin-reset passwords valid only
for 1 day.  If you have no password expiration, once they change it,
it will not expire.  But the actual reset is a problem.

BTW, most current thinking I have seen on this issue suggests that
there is a tradeoff.  I personally favor expiring passwords by default
after 90 days.  Unlike your PIN on your credit card, you need the rest
of the info on the magstripe to make an attack.   The options for
attack on a web application are higher.  Obviously passwords expiring
every week would be silly and absent very specific facts would
probably be horribly insecure.  And obviously in some cases, an attack
is not a concern.  However, especially if the application is
accessible from the internet, having expiration of passwords makes a
lot of sense.

I think we should recommend that passwords expire periodically if the
system is potentially subject to attack from a moderate-sized business
network or the internet.  Also we currently log auth failures so brute
force attacks will generally be obvious from the logs.

Best Wishes,
Chris Travers