Forced password expiry is often cited as a route to increased security. I disagree! If a hacker is stealing passwords and has access to anyone's domain credentials, why would they wait 30 days to use them? Once they get hold of the credentials, they'll place a back door, and then they won't need the credentials again.
Some companies try expiring user passwords every 30 days but that is a sure-fire route to annoy your users, reduce goodwill towards your security department, and increase chances of passwords being written down.
Instead, teach your users how to create, remember and look after a strong password, and expire them far less frequently. You'll win friends in your workforce, and the training programme will help you build relationships and communicate more about security. Security is not a technical problem, it's a people problem. Therefore technical offerings are rarely the solution: advice which IT security departments would do well to take heed of!
In the end, the best way to protect employees' personal information and passwords is education. Help your staff equate the importance of their username and password with their debit card PIN number and bank account details.
Giving away your PIN with your bank card is a way to get your account emptied. Giving away your credentials to a PC that you use for online banking is just as stupid.
This was first published in May 2009