Agreed. My last job, we were forced to change all service account passwords annually but our personal passwords every month or two.
My current job has more domains and systems so I have so many more passwords with varying complexity and age requirements. I just set a calendar event for every four weeks (one expires just under 5 weeks) and change them all to the same generated password that meets all the common requirements and I save it in my password manager.
So every four weeks, it’s seriously this hour+ long ritual for virtually no enhanced security reason.
Have you considered scripting it? For a while I worked at a place that required changing passwords every 60 days and it couldn’t have been one of your previous 24 passwords. When checking out the policy I noticed there was no minimum password age so a quick for loop later and Bob becomes your mother’s brother. Quickly cycling through 24 random passwords and back to my secure one and no more just adding the month/year.
Of course I reported it to cyber and about a year later they added a minimum age, now I’m hoping to get them to address an issue in AD that sidesteps changing passwords (though that one may be around for a while).
I mean it’s a clever solution for those without password manages. Plus most of the suggestions in these comments violate the spirit of password change requirements.
Why? Frequent password changes have been shown to result in weaker passwords. What’s wrong with keeping a strong one indefinitely? I mean an actual strong one not one character more than what’s current bruteforceable.
Overtime people will slip up and leak their passwords. Maybe they accidentally log in with it in the username field (causing it to get logged), leave it on a forgotten postit note, share it with a spouse, used it for a 3rd party service, wore a pattern into their keyboard, etc. None of those are that big of a deal or all that common, but added up with enough time and people and the risk accumulates. A infrequent but regular password reset helps to mitigate that risk.
Regular password resets can also help to prevent password reuse. Suppose someone uses their work password for netflix, then work requires a password change. How likely are they to manually sync the netflix password back to match the one they use for work?
Of course there are much better ways to mitigate risk. E.g. multifactor authentication. But a major security principal is defense in depth, and I think reasonably infrequent (e.g. no more than once per year) password resets have a place in that.
This goes for physical keys as well. If it is your house and you are certain no one untrustworthy has your key, then fine. But for a larger org with multiple people and turnover. Sooner or later keys will get lost, misplaced, etc. Rekeying the locks (maybe every 5 years, maybe every 25 years) has merit.
Forever is vulnerable to phishing attacks, same reason why monthly is getting discouraged. Monthly is weaker because the average person does slight variation, which attackers LOVE.
Frequent password changes don’t protect against phishing.
And while a high frequency like monthly changes will probably result in even weaker passwords, also yearly changes will make people choose weak passwords.
Never is too long. Monthly is way to short. I like the idea of doing it yearly in conjunction with other it security awareness and training campaigns.
Agreed. My last job, we were forced to change all service account passwords annually but our personal passwords every month or two.
My current job has more domains and systems so I have so many more passwords with varying complexity and age requirements. I just set a calendar event for every four weeks (one expires just under 5 weeks) and change them all to the same generated password that meets all the common requirements and I save it in my password manager.
So every four weeks, it’s seriously this hour+ long ritual for virtually no enhanced security reason.
Have you considered scripting it? For a while I worked at a place that required changing passwords every 60 days and it couldn’t have been one of your previous 24 passwords. When checking out the policy I noticed there was no minimum password age so a quick for loop later and Bob becomes your mother’s brother. Quickly cycling through 24 random passwords and back to my secure one and no more just adding the month/year.
Of course I reported it to cyber and about a year later they added a minimum age, now I’m hoping to get them to address an issue in AD that sidesteps changing passwords (though that one may be around for a while).
Unfortunately I don’t think that’s possible for my situation. Most of my passwords require logging into a portal and accepting terms of agreements.
Yeah, future me wonders why I even suggested it, I’m sure it probably violates the spirit of password change requirements.
I mean it’s a clever solution for those without password manages. Plus most of the suggestions in these comments violate the spirit of password change requirements.
Why? Frequent password changes have been shown to result in weaker passwords. What’s wrong with keeping a strong one indefinitely? I mean an actual strong one not one character more than what’s current bruteforceable.
Overtime people will slip up and leak their passwords. Maybe they accidentally log in with it in the username field (causing it to get logged), leave it on a forgotten postit note, share it with a spouse, used it for a 3rd party service, wore a pattern into their keyboard, etc. None of those are that big of a deal or all that common, but added up with enough time and people and the risk accumulates. A infrequent but regular password reset helps to mitigate that risk.
Regular password resets can also help to prevent password reuse. Suppose someone uses their work password for netflix, then work requires a password change. How likely are they to manually sync the netflix password back to match the one they use for work?
Of course there are much better ways to mitigate risk. E.g. multifactor authentication. But a major security principal is defense in depth, and I think reasonably infrequent (e.g. no more than once per year) password resets have a place in that.
This goes for physical keys as well. If it is your house and you are certain no one untrustworthy has your key, then fine. But for a larger org with multiple people and turnover. Sooner or later keys will get lost, misplaced, etc. Rekeying the locks (maybe every 5 years, maybe every 25 years) has merit.
Forever is vulnerable to phishing attacks, same reason why monthly is getting discouraged. Monthly is weaker because the average person does slight variation, which attackers LOVE.
Frequent password changes don’t protect against phishing.
And while a high frequency like monthly changes will probably result in even weaker passwords, also yearly changes will make people choose weak passwords.