Password aging vs. password complexity
If a password policy uses password aging, a password expires after a defined period of time and users must regularly update their password with a new one. Clearswift does not enable password aging as part of its password policy for the following reasons:
- Risk of users setting a weak password or writing a password down.
- No protection against a brute force attack.
- Users only required to change their password when they log in after a password has expired.
- Accounts used infrequently (such as cs-admin) require a password change every time they are used.
- Accounts used for machine-to-machine communication are silently locked out which would cause the link between the machines to fail.
Instead Clearswift uses password complexity as part of its password policy. Password complexity requires users to set a password that contains a minimum number of characters and at least one character from a number of character sets or classes.
Password complexity has a number of advantages, including:
- Users are forced to set a complex password on an account.
- Brute force attack is less likely to succeed
- Infrequently used accounts do not require a password change after a long period of inactivity.
- Safe to use for machine-to-machine communication
By using password complexity, Clearswift has strengthened its password policy and increased the security of local accounts.