There is the current federal password policy:
http://www.itl.nist.gov/fipspubs/fip112.htm
I know that it was published in 1985 but using this standard you are
looking at Department of Defense, they require less. And unless there
is a really compelling reason for 30 days that evolves something like ID
theft or national security, I suggest that you use something a bit more
liberal. Even those of us who have to live under HIPAA, most passwords
are changed more often than 30 days. John Hopkins Hospital's minimum
time-frame is 90 days which also includes a 2 year memory of used PWs.
Linda Losik
HIPAA Security Officer
Health Information Technology
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Bryan Murphy
Sent: Tuesday, May 16, 2006 11:47 AM
To: [log in to unmask]
Subject: [MSUNAG] Password Expiration Policies
Hi Guys,
I am about to implement a password policy that calls for password
expiration
every 30 days. I have run my policy by a small group of faculty and
found
that this (as I suspected) is the only point of contention in the
policy.
From a security stand point this is absolutely essential for a number of
reasons, and I have explained these reasons but still get guff.
For some reason stating "department x has this same policy" or "x % of
the
departments on campus already do this" works far better than logical
explanations... So I was wondering if anyone in NAG'Land would mind
sharing
what they are doing for departmental password policies.
Thank you.
,--------------------------------------------+--------------------------
---,
| Bryan Murphy, CISSP |
[log in to unmask] |
| Information Technology Coordinator | 517.432.5939 w
|
| MSU Plant Research Lab & Plant Biology | 517.355.1926 fax
|
| 132a Plant Biology Bldg. |
http://infotech.prl.msu.edu |
'--------------------------------------------+--------------------------
---'
|