It depends on the value of the data compromised. Let's say that the user whose password is known produces $100 per day of information. Depending on the specifics of the situation, that could mean that each day that an unauthorized user has access to the information costs the organization $100. So providing an extra 30 days of unauthorized access-access that would be stopped with a password change-would cost $3,000.
I agree that ANY unauthorized access to information is too much. However, I also believe that 60 days of unauthorized access is generally better than 90 days, 90 days is generally better than 120 days, and so on. John From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Friday, April 16, 2010 3:47 PM To: NT System Admin Issues Subject: Re: please don't change your password! Again, how much risk are you mitigating in 30 days vs 60? (Or 15 vs 30-45?) Even a week of such access is far too long. This problem is mitigated by properly off-boarding employees such that old accounts are disabled in a timely fashion, and tracking logon usage so that off-hours account usage of active accounts is noticed promptly. In this particular case, the technology makes the choice between option A and option B trivial, but that's not always true, and so we spend a great deal of time tackling items that add no measurable benefit. -ASB: http://XeeSM.com/AndrewBaker NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~