This is actually something one major company I know did. They made the expiry annual and the min password length something like 15 characters.
The math is based on how long it takes to do the cracking/table generation for length K versus expiry N. Thanks, Brian Desmond [email protected] c - 312.731.3132 From: Roger Wright [mailto:[email protected]] Sent: Wednesday, March 04, 2009 10:38 AM To: NT System Admin Issues Subject: RE: Password Policy Change I recall someone well known, Minasi possibly, strongly suggest a policy requiring 15+ character passwords without expiration as being more secure than 7-8 characters with frequent expiration. I think users would REALLY grumble with that one, though! <grin> Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _____ From: Sherry Abercrombie [mailto:[email protected]] Sent: Wednesday, March 04, 2009 11:27 AM To: NT System Admin Issues Subject: Re: Password Policy Change Yes, it is amazing to do an audit on passwords and see the kind of passwords that meet AD's complexity requirements, but are so very very unsecure! p...@s$w0rd meets complexity requirements...... On Wed, Mar 4, 2009 at 10:16 AM, Cameron Cooper <[email protected]<mailto:[email protected]>> wrote: Lol... that can go either way. Our users groaned and complained when we setup the policies (not only for passwords, but security settings) but got used to it. The groaning comes more out of me after telling the users that their passwords need to meet certain requirements and then find out that their password is something simple as This$ucksx5. _______________________________ Cameron Cooper IT Director - CompTIA A+ Certified Aurico Reports, Inc Phone: 847-890-4021 Fax: 847-255-1896 [email protected]<mailto:[email protected]> -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
