At my employeer, a password is required (non-expiring) with a timeout of 60 minutes. No complexity requirements other than ones the handheld enforces (ie. 1234, abcd, etc.)
We use a forced password, minimum 6 characters, must have 1 letter and 1 number. Users cannot disable the password, but are able to set the timeout to the maximum of 1 hour.
Thanks for the replies so far... Boy, that government publication will make good bedtime reading!! LOL
To pontificate profusely... On the issues of security, do most people feel that a forced password change is a good thing?
How about "hacking" of a network with a blackberry? Anyone know how / if it's been done?
Yeah, that stuff will knock you out faster than NyQuill.
The main point is that since BB's have a lock and reset after 10 failed attempts the password has a stronger entropy. Meaning that even if you have a shorter password and a longer time between forced password changes it can still meet levels 1 and 2 for low to moderate impact systems.
There are some stipulations if you are using content protection, but otherwise I would go with around 8+ chars w/ 1 special and force reset every 90 days or so. Although twice a year would probably work too.
I've never read about any specific hacks, but if you are using MDS there are some pretty big concerns. Once again it really depends on the sensitivity of the data you operate with.
IT Policies and security -
07-19-2006, 08:36 AM
