My company is implementing a 90-day password refresh policy in a month. We have 2FA enabled. What does “the book” say about a policy like this? Is it still relevant or necessary?
I’m friendly with the IT director and can have a conversation with him before this policy is in place. But before that, I want to make sure my instinct that there are less taxing, more secure solutions (e.g., password management training, passphrases, etc.) has merit.
If your 2FA is mandatory, then the book says this is a stupid idea lol
Changing passwords often is always a good thing. But if you already employ a password manager and create and use very strong passwords, then this becomes problematic and almost unnecessary especially when you have non SMS 2FA enabled.
Because creating new strong passwords every 3 months that you have to remember is going to be a pain in the ass. People are going to create easy to remember unsafe passwords that defeats the purpose somewhat is you ask me.
This just results in:
Dumbpassword01
Dumbpassword02
Dumbpassword03
And that’s it. It’s generally dumb with MFA.
I can’t speak to the security relevancy but I will say, a lot of these policies are set for insurance reasons. Insurance companies will have security rules they want companies to follow otherwise they have higher premiums.
Source: I work in IT and constantly have to remind our CEO that he doesn’t want to spend thousands of extra dollars a year in insurance just because his Authenticator annoys him.
Caveat to this is that if there is a leak of passwords, the rotation will prevent a basic enumeration attack. But anyone who could see plaintext passwords would immediately know to try increment the value.