security: request/require password change every X days/weeks/months
Not sure if this is more of a MacOS X topic... but...
A feature I find annoying, but useful, on our corporate Novell Network is that every 3 months or so it tells us that we have to change our password and that we have 10 grace logins before it becomes obligatory.
Its annoying, but good practice.
Is there any way to enable such a function in OSX (via OSX Server or via 3rd party software)?
A feature I find annoying, but useful, on our corporate Novell Network is that every 3 months or so it tells us that we have to change our password and that we have 10 grace logins before it becomes obligatory.
Its annoying, but good practice.
Is there any way to enable such a function in OSX (via OSX Server or via 3rd party software)?
Comments
Password Policies
Both Kerberos and Open Directory Password Server enforce password policies. For example, a user?s password policy can specify a password expiration interval. If the user is logging in and Open Directory discovers the user?s password has expired, the user must replace the expired password. Then Open Directory can authenticate the user.
Password policies can disable a user account on a certain date, after a number of days, after a period of inac tivity, or af ter a number of failed login att empts. Password policies can also require passwords to be a minimum length, contain at least one letter, contain at least one numeral, differ from the account name, differ from recent passwords, or be changed periodically. Open DIrectory applies the same password policy rules to Open Directory Password Server and Kerberos, except that Kerberos does not support all the
rules.
Password policies do not affect administrator accounts. Administrators are exempt from password policies because they can change the policies at will. In addition, enforcing
password policies on administrators would subject them to denial-of-service attacks.
Different passwords for different systems / networks are good security practice.
Keeping things in your head, not on paper, is good security practice.
Few people are capable of reliably remembering four or five strong passwords and inventing totally new ones every three months. This is why I hate mandatory password changing, and sort of circumvent it by recycling my random-junk passwords between systems that I consider "equally secure". I'm sure the average user, when faced with this situation, will throw his hands up and 3M the passwords on his desk, use a predictable way to generate all his passwords (as long as password strength checkers allow it), or do like I do.
Physical tokens make sense. One-time password list on paper makes sense. I have yet to hear one good explanation for mandatory password changing when these other options exist.