I don’t support user passwords at all…even if I do this for half a year, many people start choosing passwords according to the pattern after 2/3 times, adding sequence numbers to a good password or at least a hard password for example example. This is the biggest danger to me
Because the only advantage of allowing it to expire is that secretly leaked passwords are no longer valid. But if the leaked password contains a pattern, the new password will be found quickly. Thus you make changing the password a less effective method against already leaked passwords, if you encourage these kinds of patterns.
If you don’t have an expiration policy, but only force a password change when there are signs of password leaks, the password change procedure is probably more efficient. You may be more at risk of secretly leaking passwords, but in most cases you will pick up cues from them fairly quickly.
Admin passwords are a different story, you’re spinning it anyway, but there you can get a better password policy with generated passwords.
[Reactie gewijzigd door ZinloosGeweldig op 14 oktober 2022 20:08]