Timeline for Password change frequency for technical accounts
Current License: CC BY-SA 4.0
Post Revisions
16 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Feb 21, 2025 at 13:19 | answer | added | schroeder♦ | timeline score: 2 | |
| Feb 21, 2025 at 6:23 | history | edited | serv-inc | CC BY-SA 4.0 |
as of https://www.rfc-editor.org/rfc/rfc2119
|
| Feb 20, 2025 at 16:43 | comment | added | JimmyJames | "and has thus been discouraged e.g. by NIST" NIST has made it a requirement: "verifiers and CSPs SHALL NOT require users to change passwords periodically." It's an instruction, not a recommendation as discussed here. | |
| Feb 19, 2025 at 16:41 | comment | added | serv-inc | by ip, dns cname, etc, all yields the same problem. getting it working, that's what i'm telling them as well... | |
| Feb 19, 2025 at 13:09 | answer | added | Toby Speight | timeline score: 8 | |
| Feb 19, 2025 at 12:44 | comment | added | grawity | then that means neither TLS nor Kerberos are working as they should – did you connect to the server's official hostname or fqdn, or to its IP address, or to some kind of alias (like DNS CNAME)? if you have dedicated IT security people, they really ought to get this working... | |
| Feb 19, 2025 at 12:22 | comment | added | serv-inc | @grawity: I received a"identify of host computer could not be verified" message. | |
| Feb 19, 2025 at 12:06 | comment | added | grawity | RDP doesn't need certificates in a working Active Directory environment as it uses Kerberos to authenticate the host. (Though it certainly wouldn't hurt to have valid ones, e.g. from the company's internal CA, but not mandatory.) | |
| Feb 19, 2025 at 10:58 | comment | added | serv-inc | @grawity: the script to do this stopped working (timed out, probably firewall), which prompted this question. IT security advised to use RDP , but the certificate did not validate | |
| Feb 19, 2025 at 9:45 | comment | added | grawity |
Do you change service passwords via the ctrl-alt-del dialogue? I would rather suggest automating it via LDAP operations (or via kpasswd from WSL)...
|
|
| Feb 18, 2025 at 16:56 | comment | added | Gh0stFish | Something to bear in mind is that these type of passwords are often shared (or at least accessible) by multiple people. So even if you're not doing periodic changes, at a minimum they should be changed whenever someone who had access to them leaves or changes role. | |
| Feb 18, 2025 at 14:03 | history | became hot network question | |||
| Feb 18, 2025 at 11:03 | vote | accept | serv-inc | ||
| Feb 18, 2025 at 9:49 | answer | added | Greg Askew | timeline score: 10 | |
| Feb 18, 2025 at 6:39 | comment | added | Steffen Ullrich | If and how often a password, access token, certificate or otherr kind of authentication need to be changed depends on how strong they are against guessing and brute-forcing and how well they are protected - including protection at client site, transit and server. It also might depend on the impact a leaked credential might have. Because of this there is no general rule covering all use cases, if and how often these credentials should be changed. | |
| Feb 18, 2025 at 5:50 | history | asked | serv-inc | CC BY-SA 4.0 |