I wish to stir up the password policy debate. I have looked around for best practices for password policies. I see more and more articles saying that you should increase the complexity of the passwords and make it so that users don’t change their passwords as often. I understand and see the logic purported by some that a strong password should not need to be changed as often. Some of the logic goes that people who one, hate passwords and two, have to change them often will come up with a scheme that fits the policy but is easily predictable. For instance we have found out that a large percentage use month and year as their password.
What I don’t see in the debate is the user expectation that they can connect with any device from any location and access corporate data and how that should effect password complexity and the change of password frequency.
Let me give you a for instance. For us, users without remote access have the same complexity requirements but only change their password every 120 days. Users with remote access change passwords every 40 days.
The logic in this is that if they attempt access from a compromised platform, say a computer in a hotel’s business center that has had a key logger placed on it (or even a home computer where the kids have done who knows what and been who knows where on the Internet), the password that they use is then compromised but there is a limited time the password is good for. Our VPN remote access does check for anti-virus being up to date, a scan run in the last 30 days and so forth, but it checks those things only after the credentials are presented, thus the password is compromised. Remote access for things like Novell Filr, GroupWise web access do not have the “security” checks the VPN does and make reinforce the logic listed above.
What is the prevailing thoughts in your organization regarding passwords in general and has any thought been put into how remote access effects this policy?