9

I'm simply wondering when you should set a user account so that the password never expires. On what accounts is this a good idea?

Ben Pilbrow
  • 11,995
  • 5
  • 35
  • 57
Charkel
  • 193
  • 1
  • 4
  • 2
    When it's mine. Seriously, nothing is as annoying as sitting down with your head full of ideas and then being forced to think of stupid sentences that let you memorize your new password. I do understand the rationale behind the policy and parts of my brain agree that passwords should be changed regularly and that computers are good at enforcing this and everything, but ... :) – Simon Richter Mar 10 '11 at 17:40
  • @Simon Richter I'm not sure I do understand the rationale behind the policy. Forcing users to change their passwords regularly doesn't make anything more secure (if somebody has unauthorised access to your old password without your knowledge, they could reapply whatever technique to get your new password, it's likely to be of comparable strength). It leads to more users making physical notes of their passwords, or using systems where the new password is predictable, especially for accounts that are used infrequently. Better to advise than to enforce, the user should take the responsibility. – Lee Kowalkowski Mar 10 '11 at 23:20
  • The majority of people is going to write down their passwords regardless of any expiry policy, and a note that has been merely "lost" is not a reason to change ones password, as the note must be in a safe place, etc. Forcing people to use a new password every so often will at least invalidate all those passwords on old and forgotten post-its. – Simon Richter Mar 11 '11 at 01:28
  • I really have no understanding of how forcing users to change their passwords is supposed to help. Do users like to reveal their old passwords after a while? I guess it helps if the attacker wants to lie low for a while before launching an attack, but that seems like a small unlikely gain. – rjmunro Mar 11 '11 at 22:21

5 Answers5

20

The one place I can see it being justified is on service accounts. Typically you don't want a service account password to simply expire which could cause all the processes that account runs to fail. Interactive user accounts should always have passwords follow the password policy.

You have to make sure if you do set service accounts to not expire that you have good processes around querying these accounts and making sure you manually reset the passwords at some interval. There are compliance standards in a lot of industries that will mandate all account passwords get changed at some specific interval.

BoxerBucks
  • 1,374
  • 1
  • 9
  • 19
8

Automated scripts may use it (I've run into issues on systems where scheduled tasks where failing silently because the owner's password had expired). Obviously this was for non-internet facing services.

Coops
  • 5,967
  • 1
  • 31
  • 52
3

Service/utility accounts.

Chopper3
  • 100,240
  • 9
  • 106
  • 238
0

The only time we use the "Password Never Expires" option is on services accounts. We use a system outside of Active Directory to to provision AD user accounts and part of it forces users to change their password every 90 days. If option isn't checked it's been know to lockout accounts and break stuff at 2am when the script runs.

Techwrekfix
  • 1
  • 1
0

The main one is service accounts, as previously mentioned, however another option is for accounts that may have a very low risk profile combined with an infrequent usage profile - for example an account which is logged into once a year that gives read only access to some non-critical data. If it had password expiry, the user would either write down the password or use the helpdesk for password reset every time.

It isn't best practice, but if the risk is low it might just be the right thing to do in this example.

Rory Alsop
  • 1,184
  • 11
  • 20