So I have a Town Manager that refuses to believe that he should EVER have to change his password... that 8 characters is ridiculously long, and while I'm at it I should remove the need for a password anyway...
Currently I'm utilizing the minimum standard for our audits, of 8x3, 12 history, 3 times = 30 min lockout.
He changed his password yesterday, then today was IRATE that his cell phone couldn't get email, and that I couldn't resolve that remotely (he was waaaay off-site). His final rant was "Who says we have to have this?? I want to know who My Bos is!!"
Well the Town Council, and myself... but what he wants is documentation that this is best practice. Aside from CJIS (oooh do I have that down) I guess I need other places to point, PCI I have, HIPAA is not really useful for hard requirements... Anything else? Anyone else have to deal...