This can be done in a centralised or decentralised manner. The advantage of a decentralised model is that in the case of lost passwords etc, the person on the IT helpdesk is more likely to be able to make a positive identification of the individual.
The IT department should create minimum standards for
- minimum password length
- the number of previous passwords stored to avoid their re-use
- obvious passwords which may not be used (if a dictionary checker is not in use)
- password life
- the number of access attempts allowed before a user is disconnected
These can be flexed according to the security needs of the system.
