On Tue, Jan 10, 2012 at 12:12 AM, Kurt Buff <[email protected]> wrote: >> What are the threats you are defending against? What will this >> counter-measure cost you (e.g., forgotten passwords/resets, writing >> down of passwords, user hostility, political capital, etc.)? > > For the threats - well, the company is connected to the Internet, and > has a decent firewall. Further than that, make up your own threat > scenario.
That's not a realistic request. It's a big difference if they're manufacturing bolts or they're a defense contractor, for example. You have to define parameters or you just get the "Take the computer, unplug it, seal it in a safe, and bury the safe in concrete" response. In particular, are you using passwords to authenticate anything from the public Internet? > Assume that forgotten passwords were at most 2/month, that previously > passwords were 8 characters, and changed on a 90-day cycle. I'm not a big fan of the short (90 day) password lifetimes, unless a specific credible threat can be cited (e.g., web cafe usage (in which case you have other problems)). You're better off with a strong password that people can remember. Anything that short-lived virtually forces people to writing down or formula/system/pattern passwords, both of which are usually bigger problems. Periodic changes are certainly a good idea, but I usually prefer a year or so. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
