Dealing with User Passwords

How is everyone handling the management of users’ passwords? Currently, we keep a record of everyone’s passwords for support reasons, but I know the security concern that provides. Is anyone using any type of self-service software like Netwrix or ManageEngine?

1 Like

I don’t manage passwords. They are forced to change every 120 days and can’t use a duplicate without waiting 8 times. In the rare instance I need to log in as a user, I ask for itgeir password directly or change it to something temporary in there absence.

I actually submitted a 10-talk idea related to this.

We only force a password change once a year (if it were my call alone, it would be never, per current NIST guidelines).

The main password requirement is that it not be on a wordlist of sorts. Specifically I grabbed the HIBP database so if it’s been seen in a breach, it’s disallowed. This goes at the domain controller level, so we can’t set passwords manually that violate this policy, either (without disabling this feature first).

We intentionally do NOT store user passwords anywhere, and do not permit sticky notes on computers, or passwords written down in public areas. If it’s something we need to login as a user for, we should either be there with the user, or worst case we can reset their password and change it back later.

We change passwords every 180 days. I’ve been contemplating moving to pass phrases and eliminating the need for password changes. I’m seeing this often in many circles.

We implanted multi factor through Office 365 and we are using Azure Directory Connect and we also enabled password write back (requires licenses…we got the 50 free and bought the balance) so users can use Office 365 to reset and change their passwords if need be. Enabling password write back through Office 365 has been really helpful for our Mac users to make password changes easier.

Our policy is no record of any user passwords, we never request user passwords, and we tell everybody never to share their user passwords. If we absolutely had to get unattended access to a user profile (which is super rare) then we reset their password then let them set it back after the fact. Otherwise, we follow the newer guidelines (NIST/Microsoft/etc) about implementing MFA and not changing passwords unless conditional access indicates a likely breach of a password via suspicious login attempts.

Here is a good read about password expiration.

https://www.sans.org/security-awareness-training/blog/time-password-expiration-die

Thanks everyone for their input! This gives me some good information about how we should be managing this.

thanks for the information