I have always questioned the logic and need to create locked-down security requirements for many networks. It goes along with my beliefs around zero-tolerance rules around Internet use at work; it’s a convenient way to avoid proper people management simply by creating rules. When it comes to network security, a holistic approach that considers all aspects of managing risk is required and that includes people. It’s been my experience that often people are the last considered in any network security plan. No where is this more prevalent than in password management. This article, Please do not change your password, by Mark Pothier of the Boston Globe does a great job of highlighting the damage stringent password system policies have cost organizations.
Article: Please do not change your password.
