I wish to stir up a password policy debate and it was suggested that
this was the place to do so. I have looked around for best practices for
password policies. I see more and more articles saying that you should
increase the complexity of the passwords and make it so that users donít
change their passwords as often. I understand and see the logic
purported by some that a strong password should not need to be changed
as often. Some of the logic goes that people who one, hate passwords and
two, have to change them often will come up with a scheme that fits the
policy but is easily predictable. For instance we have found out that a
large percentage use month and year as their password.
What I donít see in the debate is the user expectation that they can
connect with any device from any location and access corporate data and
how that should effect password complexity and the change of password
Let me give you a for instance. For us, users without remote access have
the same complexity requirements but only change their password every
120 days. Users with remote access change passwords every 40 days.
The logic in this is that if they attempt access from a compromised
platform, say a computer in a hotelís business center that has had a key
logger placed on it (or even a home computer where the kids have done
who knows what and been who knows where on the Internet), the password
that they use is then compromised but there is a limited time the
password is good for. Our VPN remote access does check for anti-virus
being up to date, a scan run in the last 30 days and so forth, but it
checks those things only after the credentials are presented, thus the
password is compromised. Remote access for things like Novell Filr,
GroupWise web access do not have the ďsecurityĒ checks the VPN does and
make reinforce the logic listed above.
The battle I am fighting is one where the powers that be feel that 40
days is too short and we should go to 180 days or possibly never
expiring a password.
What is the prevailing thoughts in your organization regarding passwords
in general and has any thought been put into how remote access effects