We have three month password expiry policy on AD accounts, but the requirements aren't extreme. We'd do away with it, but then we have our own CEO writing their password down on a piece of paper and giving it to us to troubleshoot their laptop (we have admin accounts for a reason ffs), after being repeatedly told not to, forcing employees to rotate their passwords suddenly doesn't sound too crazy. People are just way too irresponsible sometimes. Plus, we need to have it for certifications, so there's that.
I would need to check (not in charge of it), but I do remember in the fat stack of guidelines we got there was the password policy of 90 days. However, the point still stands that some people have no digital hygiene and will write down and share their passwords in plain text for all to see even if we didn't enforce password expiry. Though in all honesty, there's no winning combination when so many don't truly give a shit about digital security. As long as they can flaunt a certificate.
The CEO at my last place used to forget his passwords at least once a week, would write them on Post-It notes on his desk (and lose them by day's end).
We had a dashboard that showed failed security and he was many, many times worse than the rest of the business combined. That man cost the business more in IT time than anyone.
This was a bank. Granted, a small lending-only bank but still, I would never get a mortgage or loan with these people.
They should have just put a Yubikey on his keys. He never lost those.
It's somehow always the guys in management/on top. On the first sign of inconvenience, they start complaining about all the security measures, because now it affects them personally, and they're not here to be managed! Security is for everyone else, but definitely not them. They're above it.
We have three month password expiry policy on AD accounts, but the requirements aren't extreme. We'd do away with it, but then we have our own CEO writing their password down on a piece of paper and giving it to us to troubleshoot their laptop (we have admin accounts for a reason ffs), after being repeatedly told not to, forcing employees to rotate their passwords suddenly doesn't sound too crazy. People are just way too irresponsible sometimes. Plus, we need to have it for certifications, so there's that.
Which certifications? NIST standards don't recommend regular rotations anymore.
Nist guidelines used to recommend rotation, and our security team would quickly point to it when people complained.
So of course we jumped on that and security team said "well nist are just guidelines and we go for more stringent requirements"...
I would need to check (not in charge of it), but I do remember in the fat stack of guidelines we got there was the password policy of 90 days. However, the point still stands that some people have no digital hygiene and will write down and share their passwords in plain text for all to see even if we didn't enforce password expiry. Though in all honesty, there's no winning combination when so many don't truly give a shit about digital security. As long as they can flaunt a certificate.
The CEO at my last place used to forget his passwords at least once a week, would write them on Post-It notes on his desk (and lose them by day's end).
We had a dashboard that showed failed security and he was many, many times worse than the rest of the business combined. That man cost the business more in IT time than anyone.
This was a bank. Granted, a small lending-only bank but still, I would never get a mortgage or loan with these people.
They should have just put a Yubikey on his keys. He never lost those.
It's somehow always the guys in management/on top. On the first sign of inconvenience, they start complaining about all the security measures, because now it affects them personally, and they're not here to be managed! Security is for everyone else, but definitely not them. They're above it.