Re: A doable frequent password change policy?

A few things. First of all, lots and lots of less intelligent people than you are already under such policies, and don't seem to have too much of a problem with them, so I think you'll survive. :) It is accepted that most people will do the bare minimum to get past a password policy, such as leaving the last digit of a password a number and just incrementing it each month. You'll have to assume that every password on your network is infinite if you don't have a policy that changes them. I mean, that's the only level of security you can guarantee, no?

Second, what compliance do you have to meet? The regs of that compliance may be your answer, no matter what your users thinks. :)

I think password shifting every 60 days and effectively not keeping history (for instance, inability to reuse the last 200 passwords) seems to me to be an acceptable policy these days. True, you can still crack those hashes quickly, but we're talking about risk management in this case. Changing them is far better than infinite passwords, as even the act of changing them may expose failed attempts and thus unauthorized use.

For Cisco, is the information they are protecting really that important that they should enforce password changes? Honestly, while password changing and history enforcement are accepted with systems on a network under your control, I can't actually think of any websites I go to that have a similar policy. They have instead decided their internal workings (hash, database, encryption) is powerful enough, so they just protect against password guessing (one would hope!). But for a local network, can you ensure no one has pilfered your hashes at some point? Likewise, do you have a captive audience? If so, impose that policy if it means your users have a more protected network and thus a more protected income and life! (Websites might turn off some users with stringent password policies, meaning they don't have a captive audience...blah blah blah)

<- snip ->
Yes I am aware of the importance of advising users on changing their
passwords frequently, be it their AD passwords or passwords on other
independent applications (ERP) etc.

But I don't want to enforce a policy that comes crashing down. I
personally, cannot keep changing my password every month making sure that
it differs from the last two in history (at least).

Even Cisco on it's CCO account only makes it's users aware that their
password hasn't been changed for quite some time and giving them an option
of either changing it or just do a 'No Thanks' option and carry on with
their old password. This sounds like a doable compliance to me.

Your thoughts??