Security Basics mailing list archives
Re: A doable frequent password change policy?
From: mpalmer () hoovers com
Date: 3 Jul 2007 18:16:59 -0000
If your "doable" password policy meets the organization's requirements for mitigating risk in its environment, then you've found a good fit. A Cisco CCO-like policy may not be acceptable as a "doable" password policy in some environments. You need to work with your entire organization (this includes the lawyers, the executive team, the tech-folks, and everyone in between) to determine what is "doable". A monthly password change maybe too frequent, but it may not as it depends on what the un/pw is protecting; is it the organization's financials, the corporate intranet, or the CEO's files? What's the frequency of user turn-over? How many people access the system in question? Yada, yada, yada.... There are a number of questions one must consider when setting up a password policy. A significant factor to consider is will the policy influence the personal authority of the users to make them want to comply with the requirements within the policy. Technically it can be relatively-simple to enforce compliance with password requirements, but it is influencing the entire organization that password requirements are needed is what really matters in the long run. Regards, Mark Palmer
Current thread:
- RE: A doable frequent password change policy? Craig Wright (Jul 02)
- <Possible follow-ups>
- Re: A doable frequent password change policy? krymson (Jul 03)
- Re: A doable frequent password change policy? gjgowey (Jul 04)
- RE: A doable frequent password change policy? Largacha Lamela, Daniel (Jul 05)
- Re: A doable frequent password change policy? gjgowey (Jul 04)
- Re: A doable frequent password change policy? mpalmer (Jul 06)