Impact of changing password policy

J

Jim Hatfield

The current password policy on our Win2K setup requires
passwords to be at least 6 characters and for them to be
changed every 42 days. For various political reasons I want
to remove the enforced change and compensate by increasing
the minimum length to 7 characters.

If I do this, will everyone be immediately forced to change
their password, since their current 6-character password
no longer meets the policy? (this would be a bad thing to
happen...)
 
B

Brandon Baker

No, they won't be affected until they are required to change their password
because of expiration.
 
H

Hank Arnold

Short answer is... No. You are making the passwords permanent. You will have
to manually expire their passwords to enforce the rule. If they decide to
change the password on their own, the 7 character limit will be imposed.

FWIW, I think this is a **VERY BAD** decision. Having non-expiring passwords
is a security hole the size of Lake Michigan. I know from experience the
grief people (and executives, especially) give you when they are forced to
change their passwords. My advice would be to lengthen the time. 42 days is
very short and would, I think, only be imposed in situations where security
is critical. How about making it every 90 days or even 180 days? *Any*
period is far, far better than none....
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD and Password policy question 12
Password Policy Reset to the old setting, Why? 8
Exclude accounts from password policy 4
Password policy 2
Can't get rid of password change requirement 1
Password policy doesn't work 1
New password policy creates permission havoc 2
Password Policy 9

Top