I'm reaching out for some insights from fellow system administrators. We're in the process of implementing security recommendations from our security tools, and I wanted to focus on a few aspects of our password policy:
- **Minimum password length** should be set to '14 characters or more'.
- **Minimum password age** should be 'at least 1 day'.
- **Maximum password age** should be set to '60 days or fewer' but not 0.
Currently, our minimum password length is set to 10, so I can understand the need to increase it. However, both password age settings are currently at 0, and while we do have strong multi-factor authentication (MFA) and conditional access (CA) in place, I'm wondering if it's still advisable to enforce password rotation every so many days or if I can keep it at 0 without issue. Additionally, I'd love to hear what password lengths you all have set in your policies and whether changing the minimum length would trigger immediate password resets.
6 Answers
In my experience, having a password policy that requires a change every 60 days is a bit overkill, especially if you have good MFA and CA in place. A once-a-year password renewal along with a long password seems to work best for us!
If you've got solid MFA and CA measures, consider dropping the password expiration altogether. MFA is far more secure than just relying on passwords, and it reduces user frustration.
Recent guidelines from both NIST and Microsoft suggest that forcing password changes isn't necessary unless there's been a security breach. Users tend to just modify their passwords slightly if they change too often, which may not be effective. Keeping a password long (at least 14 characters) but memorable is a smart approach—think of using a combination of words!
Agreed. It's all about balance; a strong password that's easy to remember is far better than a short, complex one.
Setting the minimum password age to 1 day can be tricky because it limits how often users can change their passwords—essentially only once a day. This could make supporting users a bit cumbersome if they need frequent changes. Microsoft discusses the impact of minimum password age and its effectiveness in reducing password reuse in their documentation, which might be worth checking out!
Using long and unique passwords along with a password manager is key. Hardware authentication can also significantly boost security, making passwords just one layer of defense!
I just keep it simple: 14 characters with no expiration—it's straightforward and secure.
Absolutely! Frequent changes can lead to users reusing old passwords or just add a number at the end.