tag:blogger.com,1999:blog-4804372665644785467.post5949505641713776996..comments2023-08-15T04:16:43.319-06:00Comments on Rob Barton: Password Security and the Minimum Password Agerobmbahttp://www.blogger.com/profile/07483459468274711568noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4804372665644785467.post-38457639933106880942016-08-22T15:12:53.803-06:002016-08-22T15:12:53.803-06:00I must confess something: As a software engineer f...I must confess something: As a software engineer for Unisys I designed 'minimum password age' for the Unisys A Series mainframes in 1986 for exactly the reason described in this blog post. This was done with all the constraints of limited password history storage capacity at the time. <br /><br />During the C2 evaluation of the mainframe series, this control also made it back into one of the Rainbow Series books. Little did I know that this fact would cause Microsoft later on to implement this in Windows to obtain a C2 evaluation as well!<br /><br />If I would design this today, I would come to a very different solution, believe me.Ellickhttps://www.blogger.com/profile/01715634186207192830noreply@blogger.comtag:blogger.com,1999:blog-4804372665644785467.post-71956066959916022752015-03-28T04:27:31.549-06:002015-03-28T04:27:31.549-06:00This comment has been removed by a blog administrator.Anna Schaferhttps://www.blogger.com/profile/09633259957714692411noreply@blogger.comtag:blogger.com,1999:blog-4804372665644785467.post-69369442056526873532014-02-11T22:35:11.589-07:002014-02-11T22:35:11.589-07:00Sorry to rain on your parade. This is a lame argum...Sorry to rain on your parade. This is a lame argument for minimum password age.<br /><br />Several times I've changed a password only to realize I don't like it for one of several reasons - difficult to type *a lot*, inconvenient to remember, etc. For someone who uses all 4 common categories of complexity requirements, having to wait and change my password is a hassle. <br /><br />Worse, suppose I have reason to believe the password was compromised during that time - I can't change it.<br /><br />A much more user-friendly policy is just to increase the password history to a large number (25 for example). I doubt very much that users will cycle through 25 long complex passwords just to get back their original password.<br /><br />Thanks for giving me a page where I can vent my frustration on this policy! :)<br />Anonymousnoreply@blogger.com