I am working on implementing some minimum standards for our department. I
wondering what the list thinks of these standards:
a. Passwords must be changed at least every 90 days.
b. Passwords cannot be changed for at least 14 days.
c. Previous passwords cannot be reused (at least the last 10).
d. User ids and passwords are "owned" by an individual and must not be
shared with others.
e. User accounts that have not been accessed (i.e. logged in to) for 30
will be deactivated.
f. Inactive user accounts will be deleted after 14 days.
The numbers I have used are what I used in the corporate world for systems
that had no special security requirements (i.e. they did not have any
confidential data on them). What are other people doing for this type of
standard, if anything? Also, if you had your choice (not subject to a
committee agreeing), what would you choose for these items?
Please let me know if you have any questions.