• @pHr34kY
    link
    433 months ago

    My company has a 6 month probation period. It also has a 6 month password expiry. Because of all the SSO nonsense, it’s quite possible for it to lapse without warning.

    It’s now a running joke that get locked out on the last day of probation, and you’re expecting a call from HR any minute.

      • @mkwt
        link
        953 months ago

        Current IT best practice is that passwords should never expire on a set schedule, but they should expire if there is evidence they’ve been breached.

        • Miles O'Brien
          link
          fedilink
          English
          193 months ago

          Legit, my old job required a 90-day change, and I once logged into a system I could do monetary damage on with ease, because I took a guess at my manager’s password based on how long it had been since he told it to me during an emergency.

          He did what every single person I spoke to did. “password 01” changed to “password 02” and I just tried twice, and sure enough he had changed it three times since he had told me.

          While I wouldn’t be ruining the company as a whole, I could have easily fucked over the individual location because scheduled password changes just ensure people use predictable passwords.

        • @[email protected]
          link
          fedilink
          13 months ago

          I didn’t realize updating IA-5 was part of rev5. We haven’t gotten to the IA family yet in our rev5 hardening yet.

      • Fuck spez
        link
        fedilink
        English
        83 months ago

        The current thinking as I understand it is expiry policies make most types of accounts less secure because users just cycle through the same predictable pattern of adding increasing numbers of exclamation points or incrementing the last digit at each required password change, and if you require new passwords to be too substantially dissimilar from x number of previous ones then users can’t remember them at all. Policies that make people use minimally complex passwords because they have too many to remember and don’t understand how password managers work inevitably increase password reuse between services and devices which does the opposite of improving security. Especially with MFA enforced, which I’ve been known to do as aggressively as I can get away with, there’s just no sense in requiring regular password resets – as long as the password remains complex, unique, and uncompromised. I’m not a network security expert but I am responsible for managing these sorts of things in my role and that’s the rationale I use for the group policies in a typical customer’s environment.

        • @[email protected]
          link
          fedilink
          -23 months ago

          You’re supposed to have controls in place to prevent all of those concerns. I’m not saying passwords should be changed every 30 days, but 6 months is a long time.

          But, companies with password expirations should be providing a password manager.

      • JackbyDev
        link
        fedilink
        English
        13 months ago

        When is someone going to find a password but somehow be stopped because it expires in as many as six months? What is it mitigating?