• mkwt@lemmy.world
    link
    fedilink
    arrow-up
    89
    ·
    2 months ago

    Current IT best practice is that passwords should never expire on a set schedule, but they should expire if there is evidence they’ve been breached.

    • Miles O'Brien@startrek.website
      link
      fedilink
      English
      arrow-up
      19
      ·
      2 months ago

      Legit, my old job required a 90-day change, and I once logged into a system I could do monetary damage on with ease, because I took a guess at my manager’s password based on how long it had been since he told it to me during an emergency.

      He did what every single person I spoke to did. “password 01” changed to “password 02” and I just tried twice, and sure enough he had changed it three times since he had told me.

      While I wouldn’t be ruining the company as a whole, I could have easily fucked over the individual location because scheduled password changes just ensure people use predictable passwords.