11

For convenience and security I find password rotation requirements harmful. Our SOC 2 auditor seems to still require them. Does SOC 2 actually require password rotation in 2020? I would think(hope) meeting NIST password guidelines and TOTP MFA should be more than enough.

Meir Maor
  • 1,652
  • 1
  • 9
  • 12

1 Answers1

21

SOC 2 Type 2 does not have specific technical requirements. What you have to do is to satisfy your assessor.

And if your company cannot satisfy your assessor, then there is a mechanism called "management response" where the company gets to explain away the findings from the assessor.

And if your assessor is 4 years behind in their understanding of best practices in this area, then perhaps you need to find a new assessor ...

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 15
    Password Rotation is one of the worst ideas that people still think is legitimately useful. I can't even count how often I have seen `` as password. Or `` which keeps incrementing by one every few months. –  Apr 14 '20 at 12:42
  • 3
    @MechMK1 if the password is automatically generated and submitted, it's actually a great idea. I mean, products exist that change passwords for accounts just after the password is used. It has its place, but just not with *people*. – schroeder Apr 14 '20 at 15:08
  • 8
    @MechMK1 at my first job we required rotation. My password was Password1, Password2, Password3..., Password9, Password1. Then I realized that you could change your password as frequently as you liked, so every 60 days I ran a Python script that changed my password 9 times. – Wayne Werner Apr 14 '20 at 15:54
  • 4
    our proxy (squid) also used basic authentication *over http*, so I treated my password as public knowledge. – Wayne Werner Apr 14 '20 at 15:55
  • 2
    @MechMK1 But is a wonderful way to keep track of how long you have been at the company! – JiK Apr 15 '20 at 09:30
  • 1
    @JiK To me, `` is the most beautiful representation of how users defeat a "security measure". Users want to keep their password, the system wants them to change their password. As a result, users find a way to "change" a password without actually changing it. –  Apr 15 '20 at 10:19
  • 1
    _"Password Rotation is one of the worst ideas that people still think is legitimately useful"_ Too true. Now if i could just convince the auditors for our PCI-DSS certification of that... – Adam Apr 15 '20 at 10:32
  • @Adam that's stated explicitly in the standard. If you want to get the auditor to overlook that, you are going to have a bad time :) – schroeder Apr 15 '20 at 10:50
  • Yeah, sorry, badly phrased. It's not the auditors fault. The standard is bad there. Still a pain, since it means we have to enforce the policy – Adam Apr 15 '20 at 11:40
  • Tools that rotate passwords are great for shared accounts where you can reasonably manage access to those accounts along with the accounts themselves. For individual accounts, it's not practical because of the simple problem - how do you get to the system to retrieve your password if you can't log in until you have your password. The latest NIST guidance is the way to go, relatively long, complex password that dooesn't change unless you become aware of intrusion. No-one should have direct access to PCI-DSS systems using their individual accounts so the guidance is actually correct. – Lazarus Nov 18 '20 at 07:58