Re: Password Complexity and Aging

[Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>]

> I don't see anyone making a distinction between the IT resources involved.  Perhaps a two-tiered
> password change policy makes more sense.  I think that it could be argued that there is a larger
> problem if server/system passwords aren't changed on a reasonable schedule versus the risk involved
> with a faculty or computer lab system.  Is it more palatable to require a frequent change for critical
> or sensitive systems and a less frequent (once per semester?) change for all other systems?  I think
> if you toss in account lockout after X number of failed login attempts and complex (8 characters, 1
> upper case, 1 special, 1 number) passwords across all systems, you can pretty effectively mitigate
> most brute force attacks.

That is what we do.  We only expire passwords for enterprise applications (where a good portion of the important stuff 
is kept).
The ironic thing is these accounts, given network placement and other controls, are probably less susceptible to brute 
force
attacks, interception, etc. than regular accounts.  :-)