General discussion

Locked

Enforce Password History

By bfeltus ·
My company wants me to set "enforce password history" to 1 password remembered on the windows servers. The users want to switch back and forth between 2 passwords. I know this is not "best practice" and I do not agree with this. I need to make a case why we should not do this. Any suggestions would be appreciated. Thank You.

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by I_S In reply to Enforce Password History

Can you clarify and give more explain about your question.
Thanks

Collapse -

by bfeltus In reply to

Poster rated this answer.

Collapse -

by bfeltus In reply to Enforce Password History

On windows servers (nt,2000, and 2003) I am setting local security policies. Length of passwords, complexity enabled, etc. There is also a setting for password history. I compromised and set uniqued passwords to 2 remembered ( I would like to set it to more than that). That's means at least 3 passwords before you can use the first one again. The company wants me to set it to 1. That means the users can switch back and forth between 2 passwords.

Collapse -

by CG IT In reply to Enforce Password History

ah the joys of IT and network security.

"best practice" is to have users change their password regularly and not use the same password over and over. However, reality is, users have a terrible case of CRS [can't remember s...] and in most cases, it's more work having to reset passwords for users and more costly in lost productivity because they can't access resource.

I took the stance that we are their to help users do their job and provide tools for them to do their job. Not interfer with it. If enforcing password complexity interfers with users, then its not a good policy. There are other methods to ensure network security than insisting on password complexity [remembered passwords].

Collapse -

by bfeltus In reply to

Poster rated this answer.

Collapse -

by STKanoski In reply to Enforce Password History

You can do a search on PHISHING. It's the practice of sending bogus emails to get account numbers and passwords from what looks like a valid company.

Also one of the best hack methods is to call a company a few times to learn a few names. Then call back and say you forgot your password. Many times secretarys or others that know it will give it out over the phone. Once the hacker knows this they sail through all your security. This brings up the point of not only changing your password, but of getting management and worker thinking about security. Find a few articles on these aspect of security to help bolster your point.

If I find some articles I'll post the URL

Collapse -

by bfeltus In reply to

Poster rated this answer.

Collapse -

by bfeltus In reply to Enforce Password History

This question was closed by the author

Back to Security Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums