> - netID passwords should expire annually
> - netID passwords should be subjected to some type of strength analysis
> (e.g. libcrack)
I agree that we need to revisit enforcing password strength, and password
FYI, we already have most of the password strength checking infrastructure
On the main webpage to change your netid password, libcrack is used to
verify the strength of your password. You can't set one it deems as
weak, and the reason (too few characters, dictionary word, etc..) is
returned to the user. We can certainly tweak the rules as needed.
On the "resynchronize your uvm netid" page, you are warned if your
password is weak, and the page suggests that you change it (and links to
the above password change site). We could certainly require a change
there instead of just suggesting it.
As for other methods to change your password, most of them should be
fairly easy to wrap as well.
My point of all the above is to say that from a technical point of view,
enforcing better password strength would be easy to do..
Supporting password expiration would take a bit more work to have all
services understand that a password is expired and present the user with
useful information, rather than just rejecting the authentication outright.
But that is definitely worth looking into much more than we have recently,
and shouldn't be terribly difficult...