(no subject)

[msmemory_archive]

If you're going to implement a strong, mandatory, inconvenient policy, it would sure be a good idea to issue a memo, or an all-staff email, or post it on the intranet.

Having to have our IS guy visit each person in the whole site to explain that their computer was locked while they were in the restroom or at lunch, and it will lock itself after 15 minutes of inactivity henceforth, just stinks, for us and for the hapless IS guy. (It also lends itself to people choosing the shortest, weakest passwords they can get away with, if they have to log in several times a day.)

Comments

[cvirtue.livejournal.com]

I'm not an infosec person, but it seems to me that if a company is going to have this sort of security paranoia, then 15 minutes is *too long.*

So as well as being annoying, stupidly implemented, etc, it may also be too lax to be useful.

[cellio]

Our company has this policy, and you can't override the settings. My manager pointed out that they had just made his computer less secure; he had had it set at 5 minutes. Unfortunately, they didn't care. :-(

[hugh-mannity.livejournal.com]

Yep. Ours is a mandatory 5 minutes. We have to change our passwords every 90 days and they have to be a minimum of 6 characters and include a number.

Fortunately I know enough SCAdians whose names I can mangle that I haven't run out of memorable passwords yet. In fact I haven't done with Carolingia ;)

[alexx-kay.livejournal.com]

Our passwords have to be at least 8 characters, include At least three out of the four from the set [lowercase, uppercase, numbers, punctuation], not be 'too close' to anything the built-in automated program has in its dictionary, and can't be any of the last 25 passwords you used.

I hate password-changing day.