T
1

Rant: My team's password policy fight went from 'never enough' to 'too much' in 6 months

I oversee IT for a 30 person company in Austin, and we went from no password rotation to forced changes every 30 days. Now we get 3 times the support tickets from people locking themselves out. Is there actually a middle ground that keeps everyone happy?
2 comments

Log in to join the discussion

Log In
2 Comments
ben206
ben2069d ago
Ha, man I feel this in my bones. Our IT guy actually threatened to install one of those password generator apps on our phones and I pretended to lose my phone for a week. Now we're stuck at 90 day rotation and everyone still forgets their password the day after the email reminder goes out. Honestly the middle ground might just be accepting that nobody is happy and you're the villain either way.
7
margaret99
The 90 day rotation thing isn't actually best practice anymore, most security folks are moving away from it. NIST changed their guidelines a few years back saying frequent forced changes just make people write passwords on sticky notes or use simpler patterns. Longer less frequent rotations with a solid password manager tend to work better for everyone involved.
3