John,
Company wide, I believe that you would find that the policy is to make all of the systems trusted and to basically use a Nazi type approach. I???m fortunate enough not to be included in this yet, but it would seem as if the Nazis are being assimilated by the Borg at this time and we all know what the Borg plan on doing to everyone. I???m afraid that my time in the minority may be limited ;-(
For now, the root passwords haven???t changed in quite some time on the systems that I deal with. I can???t take total credit for that because technically this system belongs to another group and it???s their responsibility to handle things of this nature. In other words, it???s not my ???fat in the fire??? if something goes wrong ;-)
The one box that I have that is pretty much my own personal sandbox in this company has pretty much sank below radar and the password for it hasn???t changed in close to a year at this point.
Prior to it becoming a sandbox, it had a matching box in a different location. They were mirrored and had users on them on a regular basis. At that point, the root password would change each time that it got discovered by someone else, but on no regular basis other than that. This was a decision made by people above me.
Once they discovered that divulging the root password had caused them grief (they aren???t the most Unix-savvy people in this company) then they allowed me to take that part over and keep the password hidden from the general group. We haven???t had a system/software failure on them since.
The user passwords expire every 30 days and the users get to reset them. The department keeps a folder with these group passwords in them, but root isn???t included in there any longer.
Back to your specific questions:
How often..?
Rarely
Same or different????
Personally managed = same for like systems, otherwise different
Corporate = Trusted (who knows?)
Machine generated????
Not on my side, but I do use combo of all the elements that you mention.
Easy????
For me, of course! I don???t want to go ask someone what password I set. It???s embarrassing???
Dictated????
Officially, yes.
My systems (below corp. radar w/o sensitive company info) = Only by me.
Don???t know how long I can keep doing this my way, but so far it has worked out extremely well for us. The Borg haven't found me yet!!
Hope you find this interesting and/or helpful. If not, sorry to bother you.
"I expect to pass through this world but once. Any good, therefore, that I can do, or any kindness that I can show to any human being, let me do it now. Let me not defer or neglect it, for I shall not pass this way again." Stephen Krebbet, 1793-1855
