This practice is not recommended anymore, yet still found in many enterprises.

  • ObsidianZed@lemmy.world
    link
    fedilink
    arrow-up
    6
    ·
    4 months ago

    Agreed. My last job, we were forced to change all service account passwords annually but our personal passwords every month or two.

    My current job has more domains and systems so I have so many more passwords with varying complexity and age requirements. I just set a calendar event for every four weeks (one expires just under 5 weeks) and change them all to the same generated password that meets all the common requirements and I save it in my password manager.

    So every four weeks, it’s seriously this hour+ long ritual for virtually no enhanced security reason.

    • ITGuyLevi@programming.dev
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      Have you considered scripting it? For a while I worked at a place that required changing passwords every 60 days and it couldn’t have been one of your previous 24 passwords. When checking out the policy I noticed there was no minimum password age so a quick for loop later and Bob becomes your mother’s brother. Quickly cycling through 24 random passwords and back to my secure one and no more just adding the month/year.

      Of course I reported it to cyber and about a year later they added a minimum age, now I’m hoping to get them to address an issue in AD that sidesteps changing passwords (though that one may be around for a while).

      • ObsidianZed@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        Unfortunately I don’t think that’s possible for my situation. Most of my passwords require logging into a portal and accepting terms of agreements.

        • ITGuyLevi@programming.dev
          link
          fedilink
          arrow-up
          1
          ·
          4 months ago

          Yeah, future me wonders why I even suggested it, I’m sure it probably violates the spirit of password change requirements.

          • ObsidianZed@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            4 months ago

            I mean it’s a clever solution for those without password manages. Plus most of the suggestions in these comments violate the spirit of password change requirements.