>===== Original Message From Nick Patellis <[EMAIL PROTECTED]> ===== >My company is struggling with a problem concerning >passwords which I would like to get some feedback >on. Essentially, for certain users we want to enforce >password changing requirements. This by itself >seems straigtforward, but these are customers who >will access our systems via the Internet. >Several have asked why we are forcing password >changing since other web based systems, Schwab, >banks, etc, do not force password changes. >Any thoughts? Any place where I can get some info >on simliar policies? >Thanks >Nick
Hi Nick. It sounds like you are not completely sold on the idea, and in my opinion, rightfully so. As you said, a mandated password change at particular intervals is incredibly complicated at levels ranging from explaining to your customers why they are being asked to do this at your site (when as you said they don't have to at other highly secure financial sites)to the technological to the actual enforcement (ie: "You haven't changed your password - so - you're locked out, but we really appreciate your business..." You get the idea. My guess is you would have 25% of the customers thinking "they're really being safe" while another quarter would think "They must not have much confidence in their system -- why are they making me change this all th time?" While the other 50% wouldn't think about why, they would only be irritated. I know some of the major web hosts either do this or have tried and gave up. For employees? Absolutely. No questions asked. For customers? A sticky situation. Those are some thoughts, but as far as where to go for info or similar policies per mandating customers? I haven't a clue - maybe someone has had experience with this and can share it here? Good luck! Mike Donovan
