[BlueOnyx:06915] Re: Disable Strong Passwords

[Michael Aronoff]

Ernie wrote:
> There is nothing wrong with the system suggesting if a password is strong
or weak in the programmers opinion, 
> however a site administrator should still be able to set what password
they want.  If a person can't remeber a
> password because it's too hard, then they will either set it to auto
entry, or write it down on a postit note or
> something equally insecure.

I could not disagree more strongly. I have had boxes hacked by weak
passwords. I have found that users bitch when you hem and haw while
explaining the policy. However if you explain the policy like it is absolute
law that cannot be changed then they do not complain as much, they then tend
to accept it and move on. 

When a user asks about the password restriction and if anything can be done
about it "just for them" or "just this once" I very quickly but politely say
"no, we have these policies hard coded into all our servers for a reason,
and it is there to protect them and their account whether they realize it or
not." I have NEVER had a client leave over the strong password policy but
the clients whose accounts were hacked... you bet your life they canceled
their service with me. Something to think about.

M Aronoff Out