Outsourced IT provider here:
90% of businesses have basically zero IT security. Leaked passwords in regular use and no process or verification for password resets. As soon as someone complains that 2FA or password rotation is difficult it gets dropped. Virtually all company data is stored on USB keys, plaintext hard drives and on staff’s personal home devices.
The reason they’re not constantly having their data stolen is because no-one cares about the companies either.
Isn’t password rotation a horrible practice because it makes people use passwords like “MyNewPassword15” since it’s the 15th password reset they’ve been forced to do?
password rotation is generally not considered a “best practice” but not doing something because it’s not a best practice is only a good strategy if you’re actually going to follow the best practices. password rotation is less effective than a good password manager and long randomly generated passwords that are unique to each site. requiring passwords be rotated can be an impediment to using strong unique passwords, which is why it’s not a good practice.
but a freshly rotated “MyNewPassword15” is a million times better than your password being “password”, or being the same thing you use on every sketchy website whose database has been breached a dozen times.
Password rotation for your “emergency” system account (the one that shouldn’t be root) still needs to be rotated every time someone with access leaves or changes job roles.
We have a custom backend website I have to log in for my work. You don’t have to use a password, just an email address. The only “security” is it’s on a weird URL that people wouldn’t likely know if they weren’t given it.
Which might explain why medium sized companies that are not completely clean-nosed are happy to run Windows 10 with all its spyware elements running unregulated.
It’s also terrible in the government sector, which is why the NSA’s huge database on US internet traffic is accessible to rivals like Russia, Iran and China.
