Re: Expire or not expire?

"Ben M. Schorr, MVP" <bens@xxxxxxxxxxxxxxxx> wrote in message
news:3851CEA8-1D67-4FD7-8AD3-DB9B178C92F3@xxxxxxxxxxxxxxxx
I don't force password changes, generally. I prefer to force long pass
phrases and let people select their own pass phrases. That way they can
select things that are easy for them to remember and because the pass
phrases are long (15 characters+ generally) they are nearly impossible to
brute-force.

One consideration to make is that the enforced password change isn't just
about fixing the problem of the brute-force guesser, but also that of the
password sharer.

Yes, I know, we all drill it into our people to never share passwords, and
in many places sharing a password is a firing offence. Yet people do it, and
the pragmatic security manager will take steps to deal with this - requiring
periodic password changes is a prudent measure to adopt against the
likelihood that you've recently fired someone who has the password of
another employee's account.

Another risk avoided by regular password changes is that of being unable to
cope with a password change. If you have a service, or a script, or anything
that needs to authenticate itself, and the password gets exposed, you will
need to change passwords on it in a hurry - are you going to be able to do
that without pulling down the house of cards if you haven't done it on a
regular basis?

Every 90 days or so would seem reasonable.

Alun.
~~~~


.