Page 1 of 1

Timed auto PW reset

PostPosted: Mon Oct 26, 2020 8:56 am
by carpenox
Is this possible? to have the user accounts ask for PW to be changed on a certain time limit? 30 days, etc

Re: Timed auto PW reset

PostPosted: Mon Oct 26, 2020 1:06 pm
by mflorell
That's not currently a feature, and the NIST recently(4 years ago) removed their recommendation for forcing changing of passwords on a timed basis because it actually has proven to make systems less secure. So, we probably wouldn't be adding it as a feature unless a client paid us to do so.
https://nakedsecurity.sophos.com/2016/0 ... d-to-know/

"No more expiration without reason. This is my favourite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily.

The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack."

Re: Timed auto PW reset

PostPosted: Mon Oct 26, 2020 2:49 pm
by carpenox
Ok thanks Matt.

-nox

Re: Timed auto PW reset

PostPosted: Fri Oct 30, 2020 7:08 pm
by williamconley
They left off one situation where it should be changed: Coworker fired for fraud or other malfeasance. Or if for any other reason you believe passwords may be shared among coworkers. If someone seems to have logged in to one system after they clocked out for the night, for instance, that should be a red-flag and that person should be immediately locked out of all systems in some situations.

Re: Timed auto PW reset

PostPosted: Fri Oct 30, 2020 9:49 pm
by carpenox
yea but thats as easy as a manual trigger