We make users change their passwords every 90d. And log them out of their devices once a week. I don’t think this adds any security at all. It just reduces productivity (IMO).
Not only does password rotation not add to security, it actually reduces it.
Assuming a perfect world where users are using long randomly generated strong passwords it’s a good idea and can increase security. However, humans are involved and it just means users change their passwords from “Charlie1” to “Charlie2” and it makes their passwords even easier to guess. Especially if you know how often the passwords change and roughly when someone was hired.
Ideally, your users just use a password manager and don’t know any of their credentials except for the one to access that password manager.
If they need to manually type them in, password length should be prioritized over almost any other condition. A full sentence makes a great unique password with tons of entropy that is easy to remember and hard to guess.
We make users change their passwords every 90d. And log them out of their devices once a week. I don’t think this adds any security at all. It just reduces productivity (IMO).
Not only does password rotation not add to security, it actually reduces it.
Assuming a perfect world where users are using long randomly generated strong passwords it’s a good idea and can increase security. However, humans are involved and it just means users change their passwords from “Charlie1” to “Charlie2” and it makes their passwords even easier to guess. Especially if you know how often the passwords change and roughly when someone was hired.
Ideally, your users just use a password manager and don’t know any of their credentials except for the one to access that password manager.
If they need to manually type them in, password length should be prioritized over almost any other condition. A full sentence makes a great unique password with tons of entropy that is easy to remember and hard to guess.
SSO with passwordless is the ideal world.
yubikey or similar phishing resistant mfa with biometric is the goal but smartphone number matching is a pretty good