Quick -- need info on benefits of using strong passwords in Password Policy!

Our medium-size non-profit organization has ALWAYS been light on locking down any single thing on our network, computers, etc. as the overall feeling is to allow employees full freedom, etc.

Well, over my 2 yrs with this company, a decent handful of vulnerabilities have made themselves available to the BAD people in this world and we've gotten hit pretty hard.

I now have a recommendation into our Executives to approve or decline for the use of a Password Group Policy on our M$ 2003 environment (with full XP pro workstations).

However, now that they are starting to discuss it ... many are on the bandwagon that it is TOO difficult of a change, etc.

I need HELP quick .... can some folks point me to articles online that talk about the benefits of such a policy? Talk about the inherent dangers and all the possibilities of getting hit without a policy? Or ... maybe the number of companies that are beginning to use strong passwords to protect their data? Any articles talking about HIPAA or confidential customer/client info being stolen or used?

I appreciate any help!

 

HIPAA mandates that your passwords are changed on a regular basis. I think the cycle is determined by you but has to be no more than 90 days.

I'm not sure about REQUIRING complex passwords, but they'd be stupid not to. Just because it's too difficult is not an excuse. When the feds come knocking because they had a breach, then they won't be happy with happens next.

I've recently started using passphrases as opposed to passwords. A sentence if you will.. "I ate my pants today" is nearly impossible to crack.

 

I, too, am using pass-phrases and have recommended that method for developing passwords in the policy. Thanks for the reminder that HIPAA does have some PW requirements ... I'll mention that.

 

dunno if this will help..but it's worth a look if only as a guide..
http://www.epractis.com/HIPAA/security_todolist.htm