• Cryophilia@lemmy.world
    link
    fedilink
    arrow-up
    25
    ·
    1 year ago

    Isn’t password rotation a horrible practice because it makes people use passwords like “MyNewPassword15” since it’s the 15th password reset they’ve been forced to do?

    • notatoad@lemmy.world
      link
      fedilink
      arrow-up
      8
      ·
      edit-2
      1 year ago

      password rotation is generally not considered a “best practice” but not doing something because it’s not a best practice is only a good strategy if you’re actually going to follow the best practices. password rotation is less effective than a good password manager and long randomly generated passwords that are unique to each site. requiring passwords be rotated can be an impediment to using strong unique passwords, which is why it’s not a good practice.

      but a freshly rotated “MyNewPassword15” is a million times better than your password being “password”, or being the same thing you use on every sketchy website whose database has been breached a dozen times.

    • fakeaustinfloyd@ttrpg.network
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Password rotation for your “emergency” system account (the one that shouldn’t be root) still needs to be rotated every time someone with access leaves or changes job roles.

    • Okalaydokalay@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      That and users will begin writing down this month’s password on a sticky and you’ll be lucky if they hide it under their keyboard. Most users will stick it to their monitor and that’s lucky considering some users will write “outlook password”, “quick books password”, etc.

      Best to only reset when it’s been confirmed the password has been compromised and the password should be locked down to a MFA token of some kind, preferably app based, not SMS based.