588
submitted 3 months ago* (last edited 3 months ago) by cron@feddit.org to c/cybersecuritymemes@lemmy.world

This practice is not recommended anymore, yet still found in many enterprises.

you are viewing a single comment's thread
view the rest of the comments
[-] esc27@lemmy.world 2 points 2 months ago

Overtime people will slip up and leak their passwords. Maybe they accidentally log in with it in the username field (causing it to get logged), leave it on a forgotten postit note, share it with a spouse, used it for a 3rd party service, wore a pattern into their keyboard, etc. None of those are that big of a deal or all that common, but added up with enough time and people and the risk accumulates. A infrequent but regular password reset helps to mitigate that risk.

Regular password resets can also help to prevent password reuse. Suppose someone uses their work password for netflix, then work requires a password change. How likely are they to manually sync the netflix password back to match the one they use for work?

Of course there are much better ways to mitigate risk. E.g. multifactor authentication. But a major security principal is defense in depth, and I think reasonably infrequent (e.g. no more than once per year) password resets have a place in that.

This goes for physical keys as well. If it is your house and you are certain no one untrustworthy has your key, then fine. But for a larger org with multiple people and turnover. Sooner or later keys will get lost, misplaced, etc. Rekeying the locks (maybe every 5 years, maybe every 25 years) has merit.

this post was submitted on 20 Aug 2024
588 points (98.8% liked)

Cybersecurity - Memes

1893 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS