[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldapext] pwdInHistory vs pwdHistoryDuration

To: ldapext <ldapext@ietf.org>
Subject: [ldapext] pwdInHistory vs pwdHistoryDuration
From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Date: Fri, 2 Jul 2010 13:08:13 -0700
Delivered-to: ldapext@core3.amsl.com

As previously noted, I believe it better to keep expire history based upon time in history not number of history.  The latter leads to the need for pwdMinAge, which from a security perspective, is a really bad idea.

At Isode, we ignore pwdInHistory and instead utilize an additional attribute, pwdHistoryDuration, to control history expiration.

-- Kurt
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Prev by Date: Re: [ldapext] password policy: delayed failures
Next by Date: [ldapext] password policy vs. shadowing/caching
Index(es):
- Chronological
- Thread