Passwords should be a minimum of 15 characters in length, and contain no repeating characters. Each user’s password should be changed at a minimum every 60 to 90 days to ensure that if compromised the password is only good for a defined amount of time. In addition there should be a password history. This means that each user’s password should be remembered by the system for up to the past 10 passwords to prevent users from reusing the same password over and over.
The third risk identified to Logistix is the lack of user verification policies for the organizations technical support personnel. A user verification policy if extremely important as this outlines how technical support personnel will verify that the person they are speaking with on the phone is actually that person and not someone else pretending to be that person. Malicious users attempting to gain access to information that they are not supposed to have access to will use social engineering attacks such as this to pass themselves off as someone else in order get information or support from the technical support staff. This information or support could be anything such as a username, but these types of attacks are typically used to get a password reset as the malicious user typically already has the user’s logon name. In order to mitigate this risk, a user verification policy should be written and enforced. This policy is