Striking a balance with passwords
In a bid to protect users from choosing passwords that are easily guessable, security-conscious RIM (NASDAQ: RIMM) has taken the unorthodox step of creating a blacklist of common passwords used for their BlackBerry ID.
I don't typically cover mobile devices at FierceCIO:TechWatch, but this news had me pondering the tricky topic of passwords and the "accepted" enterprise best practices on this front. While well-meaning, I've come to realize how overenthusiastic IT departments can go overboard and impose draconian rules that could affect the productivity of employees. I highlight a couple of them here.
Changing passwords regularly
The simplest way to defend against a compromised password would be to change passwords regularly. To prevent users from reusing the same passwords, it is possible to configure most password systems to remember--and block--the most recently used passwords. On the downside, too frequent password changes can trigger frustration in users, as well as lead to more support calls to reset forgotten passwords.
Enforcing some level of complexity in passwords is an excellent way of increasing basic password security. This could range from something as simple as specifying a minimum character length, to mandating the use of non-characters such as numerals and symbols, or the use of capital letters. Preventing users from using a character-only password offers great protection against dictionary attacks, though enforcing all three (numerals, symbols and capital letters) will likely cause difficulties with most users.
While I recognize that the perfect "balance" of enforced regular changes and password complexity may well depend on the sensitivity of a particular industry, I would like to hear your thoughts on the two points above. Anecdotes of negative enforcement are also welcomed.