- Passwords must be at least 8 characters long and can be up to 20 characters long.
- Passwords must contain at least:
- One numeric character
- One symbol character (examples: ! # $ @ % ^ & ? +)
- One upper case character
- One lower case character
Similar security policies have been in place in many organizations for a long time and are perceived to make our systems more secure, yet it does ask the question, is there a specific security vulnerability or attack that this is designed to counter, or are we just following the procedure because "it's the way it has always been done"?
There is an ongoing debate between which is more secure, requiring more frequent password changes or enforcing a really strong password requirement but not requiring users to change it.
The same arguments are used by both sides:
Frequent changes will certainly makes sure that half the office has stickies with their password on their monitor or under their keyboard.
Requiring really strong passwords will certainly make sure that half the office has stickies with their password on their monitor....
Frequent changes will make users use the weakest password they can use and still meet the requirement while adding a rotating number to the end that changes every expiration.
Really strong passwords will cause more uses to use the help desk and password reset
The arguments go on and on.....So what are your thoughts? Which approach is safer?
