Re: Active Directory Password Strength

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Graham Toal wrote:
> >
> The *only* advantage that changing your password offers is in
> the case when someone did intercept your password but decided
> not to use it for a long time, perhaps to cover where they got
> it from.  In most other situations, the outcome is the same
> regardless of whether they got your old password or your new
> password.

One thing I think is more important than frequent changes of password is
to automatically disable accounts that have not been used for some
extended period of time. There will need to be exceptions but for the
most part disabling accounts that have not been used for 3 months is a
good idea.  Don't delete anything at this stage just disable the access.

Again there is going to be a cost of re-enabling accounts if they are
needed again but it gets rid of a lot of deadwood without much effort.
If the account is disabled for a much longer period (a year say) then it
is flagged for manual intervention and someone gets to decide what
should happen to the account and any resources that are associated with it.

Cheers, Russell