Then you've already failed my not having a plan to disable accounts

platz · on Nov 23, 2016

I haven't failed anything. I am not an IT pro.

Also it's not just for the account of the terminated person, but for any passwords the terminated person has 'learned' whilst employed.

monkeywork · on Nov 23, 2016

again if your corp doesn't have a policy for off-boarding employees and removing their access then you've failed. If your corp doesn't have a policy of not having shared accounts then you've failed... if you are forced to have shared accounts then you need to have in your off-boarding policy that anyone who had access (which was a purely need to know basis) once off-boarded would trigger that password change.

The point being that what you are seeing as benefits of password expiration are better achieved with proper polices that management and HR operate under... while password expiration may in some ways help you achieve your goal in a lazy manner it also opens you to ALL your employee's using weaker passwords and giving you way more attack points than the off chance that someone decides to not follow the policies you established above.

Also none of those policies require an "IT pro" ... implementing them might, but understanding the goal of the policy and putting them into place is something any good management team should be able to accomplish.

cdubzzz · on Nov 23, 2016

I agree with you in principal, but is also important to remember that policy != practice. For a policy against shared accounts, for example, there is no reasonable way to guarantee that Employee A has not given his password to Fired Employee B.

monkeywork · on Nov 24, 2016

if you are compromised in that manner "Employee A has not given his password to Fired Employee B." then no password policy is going to save you.

Also remember passwords are only ONE part of your security armour, they aren't the entire suit.

platz · on Nov 24, 2016

http://i.imgur.com/kU3jB9B.jpg

http://i.imgur.com/OeIRC5U.jpg