Isn’t password rotation a horrible practice because it makes people use passwords like “MyNewPassword15” since it’s the 15th password reset they’ve been forced to do?
password rotation is generally not considered a “best practice” but not doing something because it’s not a best practice is only a good strategy if you’re actually going to follow the best practices. password rotation is less effective than a good password manager and long randomly generated passwords that are unique to each site. requiring passwords be rotated can be an impediment to using strong unique passwords, which is why it’s not a good practice.
but a freshly rotated “MyNewPassword15” is a million times better than your password being “password”, or being the same thing you use on every sketchy website whose database has been breached a dozen times.
Password rotation for your “emergency” system account (the one that shouldn’t be root) still needs to be rotated every time someone with access leaves or changes job roles.
That and users will begin writing down this month’s password on a sticky and you’ll be lucky if they hide it under their keyboard. Most users will stick it to their monitor and that’s lucky considering some users will write “outlook password”, “quick books password”, etc.
Best to only reset when it’s been confirmed the password has been compromised and the password should be locked down to a MFA token of some kind, preferably app based, not SMS based.
Isn’t password rotation a horrible practice because it makes people use passwords like “MyNewPassword15” since it’s the 15th password reset they’ve been forced to do?
password rotation is generally not considered a “best practice” but not doing something because it’s not a best practice is only a good strategy if you’re actually going to follow the best practices. password rotation is less effective than a good password manager and long randomly generated passwords that are unique to each site. requiring passwords be rotated can be an impediment to using strong unique passwords, which is why it’s not a good practice.
but a freshly rotated “MyNewPassword15” is a million times better than your password being “password”, or being the same thing you use on every sketchy website whose database has been breached a dozen times.
Password rotation for your “emergency” system account (the one that shouldn’t be root) still needs to be rotated every time someone with access leaves or changes job roles.
That and users will begin writing down this month’s password on a sticky and you’ll be lucky if they hide it under their keyboard. Most users will stick it to their monitor and that’s lucky considering some users will write “outlook password”, “quick books password”, etc.
Best to only reset when it’s been confirmed the password has been compromised and the password should be locked down to a MFA token of some kind, preferably app based, not SMS based.