> Essentially, for certain users we want to enforce > password changing requirements. This by itself > seems straigtforward, but these are customers who > will access our systems via the Internet.
My company does EFT transactions (we drive ATMs and do related financial communications) and so our security is regulated and audited by both federal and corporate policies. All our clients have to accept our policies regarding passwords, or they don't get in. Fortunately, all our competitors must follow the same rules, so there's no escaping them. To sell the idea, focus on the increased level of protection of their data and other reasons why you have passwords in place rather than their inconvenience. Good luck, LT
