Quote:
Originally Posted by qasdfdsaq
Then how would they selectively only make non-compliant passwords be changed?
|
Agreed, this one fact means that VM are playing the "Security Theatre" game. Just trying to make it SEEM more secure, when its actually less secure. The fact that they know which passwords are non-compliant, means that either the passwords are stored plaintext, or using a reversible encryption method.
Also time limting passwords is a fail idea too, due to human nature. Good idea in theory, but fails miserably in practice, because it forces people to think up a new password every x days, which means they tend to think up easy to remember words, capitalize the first letter (or last), replace some of the letters with numbers, and toss in a special symbol such as $ instead of s. Then they write it down on a post-it note. Which defeats the whole objective.
Best enforce a totally random password, but let them keep it indefinitely, so they get used to it, and don't need to write it down.