Re: A doable frequent password change policy?

[mpalmer () hoovers com]

If your "doable" password policy meets the organization's requirements for mitigating risk in its environment, then 
you've found a good fit.  A Cisco CCO-like policy may not be acceptable as a "doable" password policy in some 
environments.  You need to work with your entire organization (this includes the lawyers, the executive team, the 
tech-folks, and everyone in between) to determine what is "doable".  

A monthly password change maybe too frequent, but it may not as it depends on what the un/pw is protecting; is it the 
organization's financials, the corporate intranet, or the CEO's files?  What's the frequency of user turn-over?  How 
many people access the system in question?  Yada, yada, yada....  

There are a number of questions one must consider when setting up a password policy.  A significant factor to consider 
is will the policy influence the personal authority of the users to make them want to comply with the requirements 
within the policy.  Technically it can be relatively-simple to enforce compliance with password requirements, but it is 
influencing the entire organization that password requirements are needed is what really matters in the long run.

Regards,

Mark Palmer