We've been using the same passwords and app access for a long time now. I'm trying to figure out how frequently we should review these—should it be monthly, quarterly, or only when someone leaves the company? I'm looking for suggestions that strike a balance between being realistic and maintaining security.
5 Answers
At my last job, we had strict rules in place. Service accounts needed updates within three days whenever someone departed. Eventually, they used CyberArk to automate password changes every 12 hours for these accounts.
I believe that forcing password resets every few months can lead to weaker passwords. Instead, I'd suggest setting up a solid password policy that requires complexity and character minimums. After that, you can let employees keep their passwords unless there's a security incident, at which point they can change it. Also, consider implementing conditional access for added security and enforce multi-factor authentication for non-managed devices.
That sounds like a smart way to handle it! When I suggested changes, my team was more receptive when I explained that resets wouldn't be regular but would happen if we detected any security changes.
The frequency of reviews really depends on your organization's size and the type of access you have. In our large organization, we perform the following:
- Standard accounts update passwords annually with complex passwords.
- Service accounts change every 90 days, or even 360 days if they're less critical.
- We rotate privileged passwords daily for engineers and have tighter security for domain admins with 12-hour password changes.
- Access reviews for user services occur semi-annually, while critical services get monthly reviews, all automated!
Using a password manager can help a lot, especially with the use of long and complex passwords. It reduces the likelihood of them getting written down or forgotten, which is something to consider!
It's generally recommended to review account access quarterly or even semi-annually. As for passwords, aim to change them every 180 days, but it's good to evaluate based on the sensitivity of the accounts involved.
Exactly! NIST supports this approach, and it seems to encourage better security without constant password changes.