User PW Validity

[Mmwwaaaa]

Hey all,


So you have 10<>10,000 employees:

Do you A: Enforce they have a complex pw & only issue a change notice when breached..

OR

Should you B: Enforce that they change their pw every x amount of days/weeks...

The average human cannot keep up to standards with cryptography as it is.. By forcing them to change their pw we risk the fact that most people use/re-use they favourite pw.

Are we safer to let them stick with their favourite or should we enforce change?

Regards,

[Kulverstukas]

We make them change the password once a year, and Windows GPO settings allows to set the complexity and history rules, so they don't reuse their passwords and have the required complexity.

[phoenixcoder]

I think passwords should be changed every 4 weeks if the environment requires a high level of security and like Kulverstukas said, the password complexity and reuse can be configured as rules

[proxx]

I think passwords should be changed every 4 weeks if the environment requires a high level of security and like Kulverstukas said, the password complexity and reuse can be configured as rules

So you write it down and put it under the keyboard?
Thats what happens IRL

[phoenixcoder]

So you write it down and put it under the keyboard?
Thats what happens IRL

Seriously? That sentence made me cringe!

[proxx]

Seriously? That sentence made me cringe!

You can not require from a human being to remember 12 new hard pwd's per account per year, its insane.
Instead 2 factor auth or padlocks provide a more secure method which also lowers stress on the users.

[phoenixcoder]

You can not require from a human being to remember 12 new hard pwd's per account per year, its insane.
Instead 2 factor auth or padlocks provide a more secure method which also lowers the stress on the users.

Password managers are your friend, moreover some mobile counter parts has finger print access

[HTH]

thats cool bro, but i promise that all 10,000 of your employees will NOT be using a password manager and enforcing a rule where they have to would be stupid and add unnecessary complexity. (and 9,950 of them will only use your companies password in it anyway.

change once a year, maybe once every 6 months if user security is that high on the totem pole, use two factor if feasible, and dont allow reuse or simple passwords.

realistically most hacking situations involving user passwords being compromised happened because they reused it on something you DONT control (some bs website that got their db dumped, their cellphone, w/e) and in that case what really matters is UAC and ensuring the rest of your network is up to par.

[proxx]

thats cool bro, but i promise that all 10,000 of your employees will NOT be using a password manager and enforcing a rule where they have to would be stupid and add unnecessary complexity. (and 9,950 of them will only use your companies password in it anyway.

change once a year, maybe once every 6 months if user security is that high on the totem pole, use two factor if feasible, and dont allow reuse or simple passwords.

realistically most hacking situations involving user passwords being compromised happened because they reused it on something you DONT control (some bs website that got their db dumped, their cellphone, w/e) and in that case what really matters is UAC and ensuring the rest of your network is up to par.

Thanks, I didnt know where to start with the punk  below, well said.