We used Arena Solutions 'Product Lifecycle Management' software before a change in company ownership mandated a change. It was one of those deals where all your sensitive company data is hosted somewhere offshore and could be accessed by browser from anywhere.
Arena PLM was touted as highly secure, but the (default) behaviour was to require an email address as a username. It allowed strong passwords with an expiry date, but when my password expired I was told I could choose another one, or just continue to use the old one!
I think the security claims were based on the use of SSH for data transfers, but it seemed to me a determined person could log in because
- The usernames were publically available company email addresses, and
- There was plenty of time to guess a password because a lazy user wouldn't choose a new one.
It means, of course, that the use and renewal of strong passwords must be enforced.
