Originally Posted by karthik
I'll have to graciously disagree with you on this point. I think it's a very bad idea to enforce semi-regular (e.g., less than every 6 months) password changes! In my experience, doing so causes people to pick LESS secure passwords and then do stupid things like write them down in their wallet since they can't remember the new passwords that they have to keep changing.
I've been reading stuff that echoes that sentiment exactly!
Despite what I posted, I actually had to make my wife's password static.
Lately I've personally been using a passphrase over 14 characters and I do change it often....but my account is also a domain admin account...something I also need to move away from. I've discovered with OS X and (some) linux distros, its easy to operate as a regular user...unlike windows...go figure, windows server may be one of the better server platforms but its more secure to use it with os x as a client...
Anyway, I dont think your disagreement is out of place at all. Its a GREAT recommendation, provided people actually understand security...in that its not something to make your life hard, but to keep (someone's) data safe.
I bet you are correct- if corporations enforced long passprharses rather than changing every 60 - 90 days, things might be a lot stronger...
of course I work for a major health care organization. We have VPN with one time passwords, mandated security training...the works... but we still send patient records/data via FTP...makes me sick!