This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Users forced to change password?

jasoncrcsd
Contributor II

‎10-19-2023 04:42 AM

So yesterday we had many many calls from users complaining they were forced to reset their passwords. We have them set to expire at 180 days but its unlikely all of these users happen to have all changed their pwd last 180 days ago. Could something have caused this?

Topics:
0 Kudos
Reply
13 REPLIES 13

Kim_Nilsson
Admin Moderator

‎10-19-2023 05:05 AM

First the obligatory comment that you should stop doing that. Nobody should change a proper and not compromised password. Ever.

--
https://wheretofind.me/@NoSubstitute
Reply

jasoncrcsd
Contributor II
In response to Kim_Nilsson

‎10-19-2023 05:31 AM

Yes I know I've tried fighting that battle trust me. But I have a boss and... well you all know. I've even sent them the research so they know its not just me saying that.

0 Kudos
Reply

Kelly_McMahon
Contributor
In response to Kim_Nilsson

‎10-19-2023 09:42 AM

Not arguing, but curious why a proper and not-compromised account should not change their password?

0 Kudos
Reply

MarkLoundy
Contributor II
In response to Kelly_McMahon

‎10-19-2023 04:08 PM - edited ‎10-19-2023 04:10 PM

Kelly,

Probability math. A strong password is just as likely to be brute-forced five minutes after it’s created as it would be after six months. It’s also why lottery, or other gambling numbers are never “due.”

So why needlessly annoy users? It makes them more resistant to valid security requests.


Mark Loundy (He, Him, His)

Instructional Technology Specialist
De Vargas Elementary School
Ignited Fellow
Google Certified Educator
Reply

Kim_Nilsson
Admin Moderator
In response to Kelly_McMahon

‎10-20-2023 12:51 AM

Because a good password can't be hacked (within reasonable time = hundreds/thousands of years), only leaked (compromised).

That means there is almost no security risk keeping a good password "forever".

Also, when forcing password changes, users keep making their passwords less secure, or have them on a post-it on their desk or directly on the computer. This is what all research shows, and exactly why NIST not only changed their policy, but outright says to avoid forced changes, unless compromised.

--
https://wheretofind.me/@NoSubstitute
Reply

Dave_Burek
New Contributor III

‎10-19-2023 05:48 AM

I agree with Kim. But, we run into the same issues with Cyber Insurance and our Financial Auditors requiring it.

Reply

jasoncrcsd
Contributor II
In response to Dave_Burek

‎10-19-2023 06:25 AM

Yea for us too

0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to jasoncrcsd

‎10-20-2023 12:52 AM

That is where you have to put your foot down. They are wrong, and need to be told so, or they will keep recommending/forcing bad practice forever.

--
https://wheretofind.me/@NoSubstitute
Reply

jasoncrcsd
Contributor II

‎10-19-2023 06:04 AM

Now today I have sub accounts prompting and those accontys do not have a psss exp date. Somethign is wrong in Google but they say nothing

0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to jasoncrcsd

‎10-20-2023 12:53 AM

That is strange, but afaik, you are so far the only one reporting the issue.

--
https://wheretofind.me/@NoSubstitute
Reply

jasoncrcsd
Contributor II
In response to Kim_Nilsson

‎10-20-2023 08:40 AM

Yea it could be. its not really as big an issue as they are making it.

Thanks

0 Kudos
Reply

alexgrutza
Contributor III

‎10-20-2023 11:34 AM

I will say that NIST (if you're in the USA) doesn't even recommend password changes anymore in their guidelines and Microsoft hasn't in at least a decade or more. We've gone away from password changes unless we get notified of compromised accounts. Luckily our insurance as far as I'm aware doesn't have a clause around this.

I'd have to agree and also disagree with Kim because if the Insurance is dictating this, we you have a say. We can suggest things, but at the end of the day it's the Insurance that is going to be paying out based on their contract. It could also be that if you don't comply and change passwords X-days, the premiums may go up substantially which organizations (especially edu/nonprofits) cannot afford.

It's hard enough to find a Cyber Insurance provider as EDU is especially targeted. Our previous Cyber Insurer exited the EDU market completely and dropped all schools because Edu caused them to pay out so much money.

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply

Justin_W
Contributor II
In response to alexgrutza

‎10-20-2023 12:05 PM

For what it's worth, our Auditors (not Cyber Security Insurance co) were requiring password changes until I took the time to point out to them that it was a dated practice.

I shared some of the resources on new best practices, and the following year they had removed the requirement.

So it may be worth trying if you hadn't.  

But yeah, I certainly wouldn't count on getting them to change.  

Changing a strong, un-compromised password is bad practice  -and may actually increase odds of bad password habits.  BUT - the reality is that most places/people still don't realize that their password HAS been compromised until it's too late. So I can still see the logic in just taking the oldschool "hammer" approach.  

 

0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines