Because of auditor concerns, my organization will soon be implementing blackberry handheld device password protection from our Blackberry Enterprise server. We will be locking the device after 15 minutes of inactivity.
One of the other requirements we are planning to enforce is that users must change their password every 90 days and they cannot assign a previously used password.
Is this password expiration requirement unreasonable or unnecessary in your opinion? What are other blackberry admins doing? Are there any concerns with having a password that never expires?