On Mon, Jan 9, 2012 at 20:46, Ben Scott <[email protected]> wrote: > On Mon, Jan 9, 2012 at 11:31 PM, Kurt Buff <[email protected]> wrote: >> fewer than 500 users ... password policy ... complexity ... >> miniumum10 characters in length, with no expiration, no >> history and no mimimum age? > > "Insufficient data for a meaningful answer." > > What are the threats you are defending against? What will this > counter-measure cost you (e.g., forgotten passwords/resets, writing > down of passwords, user hostility, political capital, etc.)?
Assume a user base of mixed sophistication - ranging from software and hardware engineers to the more normal admin/finance staff. Web site is 3rd party hosted (no e-commerce - quoting and sales done by phone/email/fax), but a significant fraction of users (say, 10%, more or less) use an SSL VPN from an appliance that enforces current AV on home machines. For the threats - well, the company is connected to the Internet, and has a decent firewall. Further than that, make up your own threat scenario. Assume that forgotten passwords were at most 2/month, that previously passwords were 8 characters, and changed on a 90-day cycle. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
