There is the current federal password policy: http://www.itl.nist.gov/fipspubs/fip112.htm I know that it was published in 1985 but using this standard you are looking at Department of Defense, they require less. And unless there is a really compelling reason for 30 days that evolves something like ID theft or national security, I suggest that you use something a bit more liberal. Even those of us who have to live under HIPAA, most passwords are changed more often than 30 days. John Hopkins Hospital's minimum time-frame is 90 days which also includes a 2 year memory of used PWs. Linda Losik HIPAA Security Officer Health Information Technology -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Bryan Murphy Sent: Tuesday, May 16, 2006 11:47 AM To: [log in to unmask] Subject: [MSUNAG] Password Expiration Policies Hi Guys, I am about to implement a password policy that calls for password expiration every 30 days. I have run my policy by a small group of faculty and found that this (as I suspected) is the only point of contention in the policy. From a security stand point this is absolutely essential for a number of reasons, and I have explained these reasons but still get guff. For some reason stating "department x has this same policy" or "x % of the departments on campus already do this" works far better than logical explanations... So I was wondering if anyone in NAG'Land would mind sharing what they are doing for departmental password policies. Thank you. ,--------------------------------------------+-------------------------- ---, | Bryan Murphy, CISSP | [log in to unmask] | | Information Technology Coordinator | 517.432.5939 w | | MSU Plant Research Lab & Plant Biology | 517.355.1926 fax | | 132a Plant Biology Bldg. | http://infotech.prl.msu.edu | '--------------------------------------------+-------------------------- ---'