Putting the onus of strong passwords on the user did not work, so why should any other policy?
Overly restrictive password rules do not add strength. My $0.02. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Perryman, Brian Sent: Friday, October 07, 2005 3:07 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PCI audit compliance A valid and good point. However I suspect that they will just point out that their policy clearly states that passwords should not be written down, and shift the blame to the user. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] Behalf Of Shmuel Metz (Seymour J.) Sent: 06 October 2005 14:37 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PCI audit compliance Have you discussed with them the risk that the users will write down their passwords if they are too difficult to remember? Perhaps the solution is to use authentication techniques that are more robust than passwords. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html