B
28
c/cybersecurity-tipskaih36kaih365d ago

That security conference in Chicago changed how I think about password policies

I went to this regional cybersecurity meetup in Chicago a few months back, and a guy from a local bank got up and said something that really bothered me. He claimed their 90-day password rotation policy was the gold standard, and everyone nodded along like that was the smartest thing ever. But here's the thing - my pest control business had the same rule for years, and it just made people write passwords on sticky notes or use simple patterns like "Summer2024!" So I actually stopped enforcing forced rotations for my employees about a year ago. Instead we switched to requiring 12-character passphrases like "bluefrogeatsgravel" and only reset if there's a suspected breach. It's been way less frustrating for everyone, and we haven't had a single account issue since the change. Has anyone else stopped forced password rotations and seen better results?
3 comments

Log in to join the discussion

Log In
3 Comments
val_williams
val_williams5d ago
NIST actually backed this up a few years ago, they said forced rotations make things worse. Your passphrase approach is way smarter than forcing people into bad habits. More companies need to drop the old rules and wake up to real security.
1
the_emery
the_emery4d ago
Did you catch that one study from a security conference last year where they showed that mandatory rotation actually made people write their passwords on sticky notes? That's the real problem right there. People just cycle through shit like "Spring2024" to "Fall2024" and call it a day. Passphrases make way more sense (like "correct horse battery staple" vibes) because they're easier to remember but harder to guess. The old rules were designed for a time when nobody had a password manager in their pocket. Glad to see companies finally catching up to what actual users have been saying for years.
1
adam_patel
adam_patel4d ago
Man, I was at this small company a few years back where the IT guy made everyone change passwords every 30 days. Saw a spreadsheet on someone's desk with like 40 passwords going back years. Spring2022, Summer2022, Fall2022. @val_williams hit the nail on the head about NIST backing that up. One dude just had "Password1" through "Password12" on a sticky note under his keyboard.
2