Ullmic, The answer depends on what other things you have in place. You want to reach a comfortable point between security and inconvenience. 90 days would be reasonable if you enforce complex passwords with at least 8 characters minimum. (Both NT 4 & W2k have that feature.) You would also set the policy to not allow usage of the last 10 passwords.
On the people side, you need to educate users and conduct regular audits to make sure they don't write them on sticky notes near their stations. Overall, it comes down to how much risk is acceptable for your company. If you look at security as risk management, it will help you address the problem better. Regards, Vince -----Original Message----- From: ullmic6 [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 11:02 AM To: [EMAIL PROTECTED] Subject: passwords Hello all, one of the favorite subjects in my company seems to be the strength of passwords. We force our users to change their mail password every 90 days. Does this make sense? Why? -- ullmic
