If there’s one thing that upsets me when I see articles and posting to forums about policy, its mention of a “Password Policy”. I have to step away from the keyboard, go outside and take some deep breaths to calm down.
I get upset because policy is important and developing — and more importantly communicating — policy has been an important part of my career and the professional service I offer. Policies need to be easy to understand and follow and need to be based on business needs.
If you begin with a list of policies, you end up adapting the the reality of your business - the operations - to the list. You are creating a false sense of security. You need to address what you need to control, and that is Identity and Access.
Lets face it, passwords, as Rick Smith points out in his book “Authentication“, are not only awkward, they are passée - even Microsoft thinks so. More to the point, using passwords can be bad for your financial health.
They should be used with care and not as a default.
And they should most certainly NOT be entombed in a corporate policy statement. Read the rest of this entry »