Post Syndicated from David original http://devilsadvocatesecurity.blogspot.com/2011/10/part-2-on-passwords-password-policies.html

I noted in yesterday’s post that I used the answers to drive a conversation with a student employee, but didn’t provide details. I was asked what the assignment was, and thought that it might be of interest.

I provided the initial question, and my response about what drives institutional policy – essentially what I summarized here. The assignment was:

Explain how you would answer this question for a user, and for IT management, and how your policy might differ for each of these environments:

• A large multinational corporation
• A commercial website like Amazon, or a cloud service like Dropbox or Picasa
• A small company or non-profit

This sort of thought exercise is one that I feel is crucial for those who are learning information security, and is similar to questions I ask my employees when we discuss why our policies are what they are.