This may be more of an IMHO… Is it still considered, amoungst security experts, good practice to force the user to change his password every X days?
Our IT department has just institituted a policy forcing users to have a “secure” password and to change it every 45 days. If you login 3 times incorrectly, they lock you out. A quick walk around the building shows that about 20% (pure guess, I didn’t count, but saw many) of the people have little post-its whit their passwords on the monitor.
I teased one guy about it and he said: I have a login at home, one at work, a bank pin, an ebay account, sharebuilder, paypal and online banking. (He may have mentioned more, but I lost interest.) Anyway, his point is, with all the different accounts, it is easy to confuse all the different passwords. Now with the new more strict requirements at work, he has to think of yet another new one every 45 days. We can’t recycle. They can’t be deemed “too close” to each other. They must have a combination of upper/lower case and numbers. The password is complex and must be new each time and it is difficult to remember, especially with so many other accounts needing passwords.
I kinda get what he is saying. It seems like they have made it less secure by making it so hard that people are simply writing down their passwords and posting them. I know that I find myself running out of what I consider unique but memorable passwords.
Anyway, is this still an accepted policy, or are these guys lost in time? I seem to recall an article circa 2000 that said this policy was depracated pretty much for the above reasons, but I can’t find it online.