The 90-120 day rotations are deeply insane. Spend 90 seconds in the personal locker area and you'll see PostIts with patterns because people can't recall their new passwords.

I recommend two years to my clients, and Yubikeys.

@jerry I haven't gotten around to a system that requires periodical change yet.

My main concern is the password I CANNOT use my password manager with (i.e. Windows login). Other than that, I'm fine with regular updates.

Now, I'm looking at two options:
1) using diceware (7-10 words) and changing that every 90 days
2) using some USB password manager that types in a huge part of the password and I type the rest/some arduino-based password-autotyper


IMHO Like most things its down to the specific situation, environment and culture. Currently undergoing a review of our password policy and the expiry timeframe is a point of contention for us. I am pushing for a spycloud.com sub w/ AD scanning, a lot of staff training and some form of password management for staff.

@jerry I hope that it still an okay idea. I think that there is merit in having a standard to drive for (i.e. 16+ characters, rotations, complexity, MFA, etc.). Hopefully this can better help us strive for a more secure goal.

@synture I think it’s a great idea and we should move to it. My problem is that security thought leaders are running around saying password expiration is a bad idea and that is all people hear, and so disable password expiration without implementing any of the other guidance.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.