this post was submitted on 09 Jun 2023
2 points (100.0% liked)

Security News

3120 readers
1 users here now

founded 2 years ago
MODERATORS
jerry@infosec.pub
2
Thoughts on scheduled password changes (don’t call them rotations!) (nakedsecurity.sophos.com)
submitted 2 years ago by fred@beehaw.org to c/securitynews@infosec.pub
2 comments fedilink hide all child comments
top 2 comments
sorted by: hot top controversial new old
[–] Rolldach@feddit.de 1 points 2 years ago

I would say that if you need elevated security mfa is the way to go. Frequent forced password changes are counter productive

[–] Dash@beehaw.org 1 points 2 years ago

Password expirations are bad practice and counter-intuitive to what the ultimate goal is. If you have a long, complex, unique password for a system that is not used anywhere else and is stored in a secure password manager that has not been compromised, changing that password is worse than meaningless, it's actively harmful. No one in the IT or Security field should be advocating for password expirations at this stage of the game. Unfortunately everyone is forced into the practice to comply with PCI regulations that have not kept up with changes in security.