folks,

I have a security related question, to all you. Please share your comments with me.

I have a situation where i was asked to automate the password in my application, which expires every 6 months. In this case i need to generate a random password and set the password on some database/system (encrypted) and use this password in my application. In doing so the owner of the account will not be knowing the password as well.

My argument is that at first place, we should not automate the password to change automatically upon expiary. Secondly, changing the password automatically, the password change is not accountable and at later stages we would not know who changed the password last time. When i think of the password change I strongly belive that the account owner should be responsiable for keeping the passwords in a secret/encrypted form.


Please kindly share your thoughts if you had encountered such a situation beofre and what is best way to deal with this situation.


Hope to here from your expertese.


Cheers
Sudharma.

If it's a password for an account which is only used for automated processing, an expiry period of 6 months is a bit much, especially if the account owner doesn't need to know the password (why is there one anyways). In that case I'd rather opt for a very, very complex password (max out length, use special characters as much as possible, ... something like ]?fb6#Z8"2a[{?(Cl+$? ) that's valid for the next 2 years or so.

Or, even better, if that password is used to remotely connect to a system, drop it altogether and switch to public key authentication with at least 2048 bit keys, those should be save for the next decade or so (just don't use an old Debian to generate them)

Thank you much for your reply Pludi. That was informative.

Cheers
Sudharma.