That said, also consider the risk associated with sticky notes on monitors. Are walkthroughs conducted periodically to make sure classified data (such as a password) isn't left on a desk? Are there any awareness programs to educate the employees about social engineering threats?
Only the company can answer the question of how complex passwords should be, and the first step is to make sure there is a documented password management policy. The information security group should come up with one soon. The questions I asked above should be a good start to determine what that policy should be. But generally speaking, a password policy should minimally consist of the following key controls:
- Minimum password length.
- Specific character content, such as upper and lower case, numerals or special characters.
- A time-table for changing passwords.
- The number of times a bad password can be input before the account is locked by the system.
- The number of iterations before a user can reuse a password, which prevents users from alternating back and forth between two passwords.
For more information:
Dig deeper on Enterprise User Provisioning Tools
Related Q&A from David Griffeth, featured expert
Virtualization is a technology that's taking off, but how can information security professionals know how it will interact with their existing ...continue reading
Periodic access reviews for enterprise identity and access management (IAM) can help ensure the necessary personnel have access to essential systems ...continue reading
When an enterprise gets new IAM systems, training employees on how to interact with the technology is one of the most important aspects of deployment...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.