On Sun, 27 Jul 2003, Stephen Sprunk wrote:
There's a staggering number of web sites that won't allow me to use non-alphanumeric characters in my passwords at all. I've even run into a few which also don't allow and/or preserve upper-case letters. Those who fail to learn the lessons of history...
Its even worse, we're actually moving backwards. Not only users, but even "security consultants" don't understanding the history. They have checklists. The checklist says you must change the password every 30 days pass/fail. If you go to the library (or use Google) and look up the Green Book, you'll find password lifetime was not a critical factor. The Green Book has the somewhat arbitrary recommendation for a 1 year password lifetime. The original analysis was based on 300/1200 baud modems, but even that isn't relevant *PROVIDED* you implement the other recommendations in the Green Book. Most bank 4-6 numeric PINs have indefinite lifetimes. Most ISPs don't require consumers to change network passwords. The problem is fewer and fewer modern systems implement the other recommendations. So password lifetime has become the primary protection factor. How many systems notify the user - the date and time of user's last login - the location of the user at the last login - unsuccessfull login attempts since last successful login How many web systems control the rate of login attempts - by source - by userid How many web systems notify anyone or block the account after N unsuccessful login attempts either temporarily or permanently Systems like VAX/VMS had a relatively sophisticated intrusion detection and evasion process built into the the operating system by the 1980's. Note: if the user's PC has been compromised it doesn't matter how frequently they change their password. Even pseudo-random one-time-password systems are vulnerable when the user's system has been compromised (as some mobsters found out when the FBI infiltrated their systems).