I'm trying to get a new AD password policy put in place and would like to see what everyone else is doing. Our current policy is (brace yourselves):
Min. Length: 6
Complexity: No
History: 4
Max Age: 120 days
Min. Age: 0 days
And up until a couple months ago about half of the users had their passwords set to never expire...
I work in a non-profit of about 75 users, making security changes where I can, but changing the password policy is going to rock the boat a little bit, so I'd like to show my boss what other company's currently have in place and use that as a basis for my proposal:
Min. Length: 10
Complexity: Yes
History: 4
Max Age: 365 days
Min. Age: 1 day
I'm willing to compromise and give a longer lifespan to the passwords in return for complexity, mostly because people tend to just increment numbers anyways and it doesn't really make their password any more secure.
So this brings me to my question: what is your current password policy? :)