I am a new Junior IT Manager in a small company of around 500 employees and the current policy regarding passwords has enforced password expiration within 30 days, with a password history of 5.
As you can understand, this leads to people having passwords like January16 and the like, passwords on sticky notes on their screens blah blah blah... The usual when it comes down to these policies.
What would be ideal as far as I can tell would be a 10 character length password with capitals, small letters numbers and symbols.
Since I presume there are people in here that are security auditors, and also others that have way more experience on these matters, I ask you this.
What can I present to the auditors next time they come around, so that they would allow us to change the policy for password expiration to 1 year?
Off the top of my head I would provide them data regarding the strengths of a long and complex password, as well as data from brute-force password retrieval apps in regards to how many p/s they can achieve with state of the art hardware, as well as a script that will run once every day to show if there are any new accounts in AD that have been created to work as a security measure in case someone does manage to break in to the network and create their own account.
Any assistance will be much appreciated.