[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: minimum number of days between password change

On Mon, Nov 01, 2010 at 12:49 -0500, Ron Johnson wrote:
> On 11/01/2010 11:28 AM, Lukas Baxa wrote:
>> Minimum number of days between password change          : 76
>> Maximum number of days between password change          : 90
>> Number of days of warning before password expires       : 14

>> However, I'm able to change my password when logged in as guest as
>> many times I want the same day

> If someone learns my password on day 2, they have full access to my
> account for 74 days, or I must beg for SysAdmin help?

> "Minimum number of days" isn't a very bright idea.

I completely agree¹, but this policy should still be enforced or it
has to be made clear that this setting is deprecated and no longer

--- chage manpage ---
 -m, --mindays MIN_DAYS 
 Set the minimum number of days between password changes to MIN_DAYS. A
 value of zero for this field indicates that the user may change his/her
 password at any time.
--- snip ---

… which is clearly not working in the way it is described. I have not
reproduced this bug myself, but it is exactly that and should therefore
be reported - not by posting to d-d - but rather by executing "reportbug



¹ There might be use cases though ?-)
  .''`.     Wolodja Wentland    <wolodja.wentland@ed.ac.uk> 
 : :'  :    
 `. `'`     4096R/CAF14EFC 
   `-       081C B7CD FF04 2BA9 94EA  36B2 8B7F 7D30 CAF1 4EFC

Attachment: signature.asc
Description: Digital signature

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Reply to: