Quote:
Originally Posted by DuncanWatson
That problem relates to IT departments mandating 90 day changes of passwords with no repeats for the last 10 passwords and a mandate of 90% change for the new password as compared to the last 10 used. As well as mixed numbers, letters and punctuation.
Shockingly such draconian user-unfriendly policies result in rampant security violations as users put passwords on sticky notes, in their wallets, on their pda/phones etc. Sure some people (this is especially bad in accounting and financial departments) will put passwords on sticky notes attached to their monitor no matter what you do. But by making it so unfriendly many more users are forced to take such action just to be able to do their job. Not everyone can create passwords that fit IT criteria of a good password and commit them to memory every 3 months. Especially without reuse. If you really need such security use an skey token with generated passwords every 30 seconds or so. (something you have + something you know security).
|
The IT department is responding to *known* threats and such measures are the only ways known to protect access to the information.
Note I said "responding" as these measures are put in place after somebody finds out the hard way about the problem.