|
Security Basics
mailing list archives
Re: A doable frequent password change policy?
From: mpalmer () hoovers com
Date: 3 Jul 2007 18:16:59 -0000
If your "doable" password policy meets the organization's requirements for mitigating risk in its environment, then
you've found a good fit. A Cisco CCO-like policy may not be acceptable as a "doable" password policy in some
environments. You need to work with your entire organization (this includes the lawyers, the executive team, the
tech-folks, and everyone in between) to determine what is "doable".
A monthly password change maybe too frequent, but it may not as it depends on what the un/pw is protecting; is it the
organization's financials, the corporate intranet, or the CEO's files? What's the frequency of user turn-over? How
many people access the system in question? Yada, yada, yada....
There are a number of questions one must consider when setting up a password policy. A significant factor to consider
is will the policy influence the personal authority of the users to make them want to comply with the requirements
within the policy. Technically it can be relatively-simple to enforce compliance with password requirements, but it is
influencing the entire organization that password requirements are needed is what really matters in the long run.
Regards,
Mark Palmer
 By Date 
By Thread
Current thread:
|
Intro
