Password policies that aren’t too crazy but effective
What password policies are the best without going crazy? We want security but changing passwords 2 times a month is too much. What is a healthy middle ground between security and convenience?
Software/Hardware used:
Software/Hardware used:
ASKED:
June 2, 2011 8:01 PM
UPDATED:
June 7, 2011 5:06 AM
Answer Wiki:
I am used to either a 60 or 90 change period of time.
Also, if people have multiple places where the need a password, they should only have to change it in place and then have that change cascade down to the other locations.
To see all answers submitted to the Answer Wiki: View Answer History.
1. Require changing password at least once at month.
2. Require letters and number.
3. Not too similar to the username.
4. Not use a dictionary word.
5. Not too short
6. Not equal to the 6 previous passwords.
What are you securing?
1 system – many ?
financial data ? – value?
text of obscure novels – not valuable ?
what hardware? – built in likelihood for hacking – windows
harder to hack – linux
impossible to hack – IBM i
Inside a firewall and DDMZ ?
on the internet ?
consider the relative risks and how much aggractaion you or the users should endure.
if you are reliant on a password, make it long, so a user can make a sentence a password. “My monkey is 83 and knitted” is memorable, so not written down.
Systems which keep simple files of passwords are vulnerbale if bad people can get the file and attck it to decode.
If all they can do is get to a sign on and attempt multiple passwords, have the system close down after 3 / 5 / 9 (pick a low number) wrong entries
i use 42days, but some other options is once a month or once every 2 months