Question

  • Creator
    Topic
  • #4248697

    Optimal Password Prompt Frequency

    by gilberto.fernandezgr ·

    Hello! I’m currently working on an app development project for a company. As part of our security measures, I’m researching best practices for determining how frequently the app should prompt users to enter their passwords.

    Do you have any references or guidelines that could help inform this decision?

You are posting a reply to: Optimal Password Prompt Frequency

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our Community FAQs for details. All submitted content is subject to our Terms of Use.

All Answers

  • Author
    Replies
    • #4248707
      Avatar photo

      No.

      by rproffitt ·

      In reply to Optimal Password Prompt Frequency

      At one job it was changed monthly. As most of us couldn’t remember it we all would write it down somewhere.

      “In fact, many experts believe forced, arbitrary password expiration actually does more harm than good.”

      If you want to make your security worse, make the passwords expire faster!

      • #4248730
        Avatar photo

        Have to agree with this

        by Wizard57M-TR ·

        In reply to No.

        I once worked for a large company that had forced password changes at monthly to 6 weeks maximum. To top that off, the passwords were always some 20 plus characters, including upper/lower case, special characters, numbers, symbols…no way any user could remember them!
        So, the solution used by almost all employees was to take a screenshot of your new password, then print it out on the printer. Fold it up and carry it in your pocket/purse/backpack etc. The other solution used by others was to have someone with the access to issue a new password to you, which then would be screenshotted and brought to you, on an almost daily basis. All of this hassle and employee inconvenience for practically no benefit to anyone. The primary threats always seemed to come from outside the company via network intrusion attempts. Corporate level people were also targeted more often via spam/phishing attempts, primarily because they were the ones that exempted themselves from the strict password policies!

Viewing 0 reply threads