Ofcom Do Security

[Tom Thomson]

> The CEO is unlikely to care about password policy.  The IT department,
> both hands on keyboards and management (I've been both), are all
> collectively geeks of greater and lesser natures.

I've known managers in IT departments who were not the least bit geekish, and others who were thoroughly geekish, and the whole range in between.  The ones who have caused (or tried to cause) the most damage (with idiotic password policies, for example) have been the non-geeks.  Some of the geeks have not been good at management, but they didn't try to introduce technical insanities like monthly password resets (if you are going to require frequent resets, you do it on the basis of number of times the password is used, not on the basis of a short time period, since each use is a chance for a shoulder-surfer to watch finger movements or for the password to be intercepted by technical means). 

Now I am a bit of a geek, and I've been in senior management positions for a lot of my career, and only once have I imposed a password policy change: when the organisation was running not only its own servers but also its customer's servers with a database sysadmin account which (a) had a blank password and (b) provided OS level sysadmin privileged shell access.  You can see why that had to be changed.

So I agree with Francis - it's usually not the geeks who introduce idiotic rules that fly in the face of usability and best practise.

M.