I am working on a draft for a password policy for our firm (2 servers, 26 workstations, 10 remote users).
Previously the system had been very lax (I could guess most passwords, if I couldn’t guess them I just had to ask someone close by).
Passwords have been changed every 6 months.
I am not wanting to annoy the users too much by changing passwords too frequently.
Is 6 months too long a length of time?
