Before I get bashed for posting this, I fully understand the importance of constructing a strong password and how expiring passwords on a regular basis plays into it. However, on a mobile device I find the need to do a password reset every 30/60/90 (pick the corporate policy) days overkill. That should read a huge pain in my arse.
Here’s why:
1. My device needs to be set up with corporate email – a hacker would have to get around that hurdle and even if they did it is a different attack pattern than getting into my phone.
2. Communications to email server are sent securely – little to no way (not impossible) to get my credentials that way (didn’t even mention that creds are local anyways but just in case they were transmitted)
3. In addition to the email program requiring a password my phone does as well. The hacker would have to get past that point (arguably the easiest on the list) before they could attack the local email.
4. I have, and so do the admits, have the ability to wipe the email from my phone.
5. Corporate requires strong/complex passwords.
6. I know when my phone isn’t around me.
Yes there could be that one malicious app that is able to attack the email password and/or key log my input but if said app is on my system I probably screwed regardless if I change it or not.
Implementation of security controls needs to be handled smartly – too many needless controls introduces headaches which in turn introduces work arounds or worse disgruntled employees.
Bottom line: too much is just as bad as not enough.