Enabling complex passwords
If an organization chooses to enable complex passwords, as you recommended in your "Changes you should make to password policy default settings" checklist
, what is the impact to existing accounts and passwords that do not meet the requirements? Do the requirements take effect at the next password change or suddenly are the passwords invalid, resulting in an overwhelmed help desk? What are your specific recommendations for planning this kind of implementation at an organization? Something more concrete beyond "enable this" would be appreciated.
When complex passwords are enabled, existing accounts that do not meet the requirements are unaffected until the password is changed. I recommend that users are required to do so by setting their accounts to require a password change the next time they log on. However, in a larger environment, you may want to stagger this requirement, and in any organization, make sure this does not catch users by surprise. Provide ample warning, training and above all, solicit support from all management. Nothing is worse than implementing new security without support.
This was first published in November 2004