Fine Grained Password Policies

mrbios · 31 Aug 2016 at 10:18

Just need some clarification on something:
If the last time anyone reset their password was 60+ days ago, and i wanted to force everyone to reset their password tomorrow or friday, then if i set maximum password age to say 14 days, does it take it as 14 days from when i enable the new maximum password age, or from when each user last reset their password?

I imagine it's the latter, so i can just enable that with a lower limit and everyone will have to change their password when they next login.....then i can change it back before the 14 days are up?

Thanks

Uhtred · 31 Aug 2016 at 17:21

The latter. There's a timestamp on each account with password last set date/time and the policy evaluates against that.

LizardKing · 1 Sep 2016 at 10:44

If you want to force everyone then you can simple mass (or even individually) select all your users in AD and tick the "user must change password at next logon"

ruffneck · 1 Sep 2016 at 11:47

Making users change the password may not be a good thing.

Providing your enforcing a complex password policy, research shows that forcing users to change password often promote bad habits, like writing it down, storing it somehwere insecure, simply adding numbers on the end etc.

mrbios · 1 Sep 2016 at 12:29

LizardKing said:
If you want to force everyone then you can simple mass (or even individually) select all your users in AD and tick the "user must change password at next logon"

That would have made a lot more sense! derp. Cheers

Oh well i've done it the other way now, i'll do that next time

..... we don't believe the whole "reset ever 90 days" thing helps security, as it invites people to start writing their passwords down or doing other various insecure password techniques, so we do it once every 12 months. (Read an interesting article on that a few months back, i think it concluded that about 6-9 months or something was the ideal time span for password changes)

ruffneck said:
Making users change the password may not be a good thing.

Providing your enforcing a complex password policy, research shows that forcing users to change password often promote bad habits, like writing it down, storing it somehwere insecure, simply adding numbers on the end etc.

haha, hadn't refreshed the page to see your response, see above^

It's a school so we're standardising on a reset at the start of September every year now. (complexity enabled and 8 characters minimum, i wanted 10 but i got moaned at by management...)