User-Defined Passwords; Password Expiration - Netscape DIRECTORY SERVER 6.01 - DEPLOYMENT Deployment Manual

Designing a Password Policy
Often the initial passwords set by the administrator follow some sort of
convention, such as the user's initials, user ID, or the company name. Once the
convention is discovered, it is usually the first value tried by a hacker trying to
break in. In this case, it is a good idea to require users to change their passwords
after such a change. If you configure this option for your password policy, users
are required to change their password even if user-defined passwords are disabled.
(See "User-Defined Passwords," on page 130 for information.)
If you choose to not allow users from changing their own passwords, administrator
assigned passwords should not follow any obvious convention and should be
difficult to discover.
By default, users do not need to change their passwords after reset.

User-Defined Passwords

You can set up your password policy to either allow or not allow users from
changing their own passwords. A good password is the key to a strong password
policy. Good passwords do not use trivial words—that is, any word that can be
found in a dictionary, names of pets or children, birthdays, user IDs, or any other
information about the user that can be easily discovered (or stored in the directory
itself).
Also, a good password should contain a combination of letters, numbers, and
special characters. Often, however, users simply use passwords that are easy to
remember. This is why some enterprises choose to set passwords for users that
meet the criteria of a "good" password and not allow the users to change the
passwords.
However, assigning passwords to users takes a substantial amount of an
administrator's time. In addition, by providing passwords for users rather than
letting them come up with passwords that are meaningful to them and therefore
more easily remembered, you run the risk that the users will write their passwords
down somewhere where they can be discovered.
By default, user-defined passwords are allowed.

Password Expiration

You can set your password policy so that users can use the same passwords
indefinitely. Or, you can set your policy so that passwords expire after a given
time. In general, the longer a password is in use, the more likely it is to be
discovered. On the other hand, if passwords expire too often, users may have
trouble remembering them and resort to writing their passwords down. A
common policy is to have passwords expire every 30 to 90 days.
130 Netscape Directory Server Deployment Guide • January 2002