guyver01
Lifer
- Sep 25, 2000
- 22,151
- 5
- 61
IT has gone overboard with passwords as a means of security. The more passwords you need to remember, the more often you need to change them, and the more rules you put in place for force people to use strong passwords, the more likely people are going to choose dump passwords.
Depending on the company, there's a little law called SARBANES-OXLEY and they have password requirements for systems that contain
Sensitive User Information
Here’s a basic list of what constitutes that vague term (I probably left some out):
- Account number and identifiers
- Customer numbers
- User names
- Credit card or bank information of any kind
- Passwords
- Private messages and blog posts
- Wage information
- Social security and driver’s license numbers
- Birthdates
User sessions should not be identified using cookies or IP addresses
Strong passwords (more than 8 characters, mixed alphanumeric and special characters, mixed upper- and lower-case) should be enforced if users select their own passwords.
Anyone who has access to the production database should be required to change their password at least every 90 days
Security violations (such as a user entering the wrong password three times in a row) should be logged to a secure location and reviewed by the company Security Officer on a regular basis
amongst a whole list of other requirements.
IT Doesnt make this stuff up. we're required by law to follow it.
Believe me.. i dont want you calling daily because you cant remember your password because it's too complicated.