Security: Need help with statement, password should be complex to xxxxx standards?

QueueQueue Member Posts: 174 ■■■□□□□□□□
Hello,

I have received a request from our security team to create accounts using "password should be complex to "x" standards."

Would you take this as make it our standard reset password, or to make it more complex than our standard reset password and for it to be different?

Password will be set to never expire so this will be the password for duration of the account.

This is just a quick question if any can provide guidance as it is after hours here at the moment.


Thanks

Comments

  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    Usually when you receive a request like that it means that someone has identified a lack of control in your password policy or that your password policy even though it might exist no one is following it correctly. Meaning, you have a policy that specifically calls for passwords to be complex but the Helpdesk for some reason rests the passwords to simple passwords. Someone from your security team picked on this and now they are telling you that passwords need to follow the policy and not whatever everyone on the Helpdesk wants.
  • kiki162kiki162 Member Posts: 635 ■■■■■□□□□□
    Unless you are subject to compliance requirements I'd revise that statement. Say something like "passwords will be complex using x characters"
  • QueueQueue Member Posts: 174 ■■■□□□□□□□
    In Active Directory we have a minimum length requirement, password history, and password complexity. If resetting a users AD password we use the same password and have "User must change password at next logon" checked. These specific accounts for vendors will have the password set to never expire, thus not able to change at next logon. Would a security administrator expect me to use our go to standard for password resets or to make a unique password for these few accounts that follows our policy?
  • jeremywatts2005jeremywatts2005 CySA,S+,A+,N+Cloud+,MSDFS,MSMISSM Member Posts: 346 ■■■■□□□□□□
  • QueueQueue Member Posts: 174 ■■■□□□□□□□
    I was able to get in touch through email and provided an answer. Thank you all for the help. The answer was for me to randomly generate passwords per our policy.
  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    Never use the same password when resetting accounts and never set password never expires for vendor accounts. You are asking for a finding with that statement. Only service accounts should have password never expire and even those accounts should be changed periodically.
Sign In or Register to comment.