> >Has anyone attemped to modify the TIS authenticator software to age
> >passwords? We plan to do this soon, but rather than re-invent the
> >wheel...
>
> We don't recommend using authentication technologies where
> your password might "age." -- Systems like S/key, where your
> passwords expire after each use, or systems like commercial challenge
> response or changing ID cards do not need to expire since the
> passwords are (effectively) nonrepeating.
I don't know here -- I've always believed that changing passwords
was important, even in systems where you don't actually pass them
in cleartext.
With s/key, for instance, it is not a good idea to become too used to
one particular password for too long a time. Perhaps it's merely me,
but I find that after having one password too long, I tend to sometimes
slip up and type the wrong password at the wrong time. Changing passwords
on a regular basis keeps you from slipping up too much.
Additionally, if your password was somehow sniffed or otherwise
gotten-ahold-of (perhaps they watched you generate keys through the
keyhole?), changing one's password provides an added sense of
security.
--
John Hawkinson
jhawk @
panix .
com
Follow-Ups:
References:
|
|
