I recently overheard a colleague mention that, in hisopinion, the best form of password security for their enterprise is to notenforce monthly or quarterly password changes for their employees. His reasoning? Enforcing tough passwords andforcing your employees to change them periodically often forces the employees towrite down their passwords (even sometimes posting them on a sticky noteattached to their monitors or desks). This, in his opinion, is more of a security risk than not enforcingperiodic password changes.
At first, I thought that this is one of the craziest ideasthat I had ever heard. This goes against one of the most basic securityprinciples out there...make your passwords tough and change your passwords often.
Upon further thought, I decided that the logic behind this ideamakes some sense. Allowing your employees to maintain their passwords for anindefinite amount of time may help to alleviate those people that insist onwriting down their passwords. This beingsaid, I do not think that this is a viable solution. Whether or not you force your employees tochange their passwords or not, there will always be those that like to writethem down. In addition, the risk thatyou would take in allowing indefinite access through a compromised accountwould outweigh the risk of someone reading a password.
More...