We've been using the same passwords and app access for a long time and I'm starting to wonder when we should be reviewing them. Should we check monthly, quarterly, or only when someone leaves? I'm looking for something that balances security with practicality.
6 Answers
For access control, we have a system in place where requests are made by business owners. We check sensitive systems quarterly and others once a year. An audit follows any role change to maintain control and traceability.
The frequency of reviews really depends on your organization's size and access needs. For us, we have a mix where we do:
- Standard accounts with complex passwords last a year
- Service account passwords rotate every 90 days unless they are non-security related, then we stretch it to 360 days.
- Privileged passwords rotate daily, and domain admin passwords rotate every 12 hours.
We conduct access reviews twice a year for user-facing services and monthly for critical service accesses, and we automate a lot of this.
Honestly, I'm not a fan of resetting passwords every few months. It often leads to weaker passwords. I'd recommend establishing a solid password policy instead. Make sure to enforce requirements like minimum character counts and complexity. After setting this up, users can reset passwords once and be prompted again only if there's a security breach. It’s also wise to set up additional security measures like MFA and limit access based on geography.
Yeah, when I had everyone change passwords, I told them we’d only need to do it again if situations changed. That really cut down on grumbling.
In my last job, they had a rule to update service account passwords every 3 days. It was intense but they eventually switched to CyberArk for better management, which handled password updates automatically every 12 hours.
Make sure you're also considering using a password manager. It can help users maintain longer, more secure passwords without them having to write anything down.
For the most part, it's recommended to review account access every quarter or at least twice a year. As for passwords, a 180-day change period is generally a good rule of thumb for applications.
Totally agree! Keeping a flexible policy is key, rather than sticking to a strict schedule.