Symetrik Domino Consulting

In doing some research on Password Recovery in 6.5.x, I came across this comment on the Notes/Domino 6 and 7 Discussion forum.

“Most security experts now agree that forcing periodic password changes doesn’t increase security – it just makes users more likely to forget or write down their passwords. Unfortunately, most corporate IT departments haven’t caught on yet. ;)”

This was posted by Posted by Dave Kern on 26.Apr.06 at 02:31 PM

Then someone asked him about that very statement in the next post, and here is his response.

---

It all comes down to whose reports you believe. This isn’t something that any single person could just “document” and become a definitive source. If so, I’d write the whitepaper myself just to end the perpetual debate.

Here’s a recent writeup that I found on the topic by a thoroughly reputable source (Prof Eugene Spafford):

http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/

Google found another article on password expiration for me:

http://www.smat.us/sanity/expharmful.html

Network Security: Private Communication in a Public World (1st edition) discusses the issue in section 8.6.2, “Requiring Frequent Password Changes”.

I believe that Bruce Schneier’s Applied Cryptography and the 2nd Edition of Network Security:… discuss the matter as well, but those aren’t on a handy bookshelf, so I’ll end my research here.

Frankly, the true problem is that passwords themselves are an obsolete technology. They worked well in environments where the only people with physical access to the system were trusted, passwords were intended to discourage the curious, and nobody ever had more than one or two passwords to remember at a time. These days, users have dozens of passwords with different complexity requirements and mandatory change intervals for everything from personal email to confidential corporate databases to web sites of dubious legitimacy. Many sites expose the plain text of their users’ passwords to their administrators or use unsalted hashes, which could be seen as a great source of side revenue for the unethical, but not good security.

I’m just waiting for the day when all of the web sites that I need to use support SSL client certificates and all of my applications and operating systems support smart cards and some form of PKI-based authentication so I can just carry a single USB token around (after backing up the keys and certs onto a CD-R stored in a safe) instead of a hand-written list of passwords, and all that a remote service ever needs to store in order to authenticate me is a public key or certificate.

dave

---

This definitely caught my attention.

I’m trying to figure out how to setup password recovery. When I was in Buenos Aires a few weeks ago, I noticed that the “Recover Password” dialog box would appear when someone entered a wrong password.

I’ve tried it on my own desktop today and I don’t have the Recover Password click box on the wrong password dialog box. I thought it might be that I was using an admin ID, so I switched to a test ID and purposely put in the wrong password and I don’t get that box.

Any ideas?