It’s Friday: do you know what my password is?
I’m trying to convince my staff that we should require really long passwords, never expire them, and run crack every year to check password strength. But they disagree, especially about the expiration issue. Any thoughts? Gurus I can consult? I checked Schneier but haven’t found a good reference yet.