CLAYTON@XRT.UPENN.EDU ("Clayton, Paul D.") (07/11/88)
In response to the recent bout of messages on the changing of passwords and how to insure that users do not re-use passwords, I offer the following solution. On the VAX87C SIG tape, in the directory, [VAX87C.EROS.PASS], there is a program already written which will maintain a history of passwords on an account basis. The length of time the history is kept is user selectable by processor. This program would be run each night, and it will check for a user that has changed his/her password and if it is now the same as a previous one for that user, over time duration (x). If it DOES match, the UAF record is set with PASSWORD EXPIRED, so that the next time the user logs into the account the password once again has to be changed. Note that this does NOT stop people from re-using the passwords, but I believe that they will get tired of entering new passwords and then this problem would be solved. Concurrent with the program implementation, it would speed up the acceptance of, and adherance to, this system if a policy is put forth stating the specific time frame, each day, that dead accounts will be re-enabled for the user. Hope this helps. pdc Paul D. Clayton Address - CLAYTON%XRT@CIS.UPENN.EDU Disclaimer: All thoughts and statements here are my own and NOT those of my employer, and are also not based on, or contain, restricted information.
RAND@merrimack.EDU ("Rand P. Hall") (07/12/88)
The best advice I can give people on the subject of changing passwords came from Steve Tihor. Just tell your users that their password doesn't have to be one word. I've found people to respond very positively to this. 'IHATEMYWIFE' is much easier to type and remember than 'GIGANTESQUE'. It's also much easier to enforce longer passwords. Rand P. Hall rand@merrimack.edu (csnet) Director, Academic Computing 508.683.7111 Merrimack College 315 Turnpike Rd. "There is elegance in simplicity." North Andover, Mass. 01845 - Kimball S. Maddocks