I’ve finally been able to convey the benefits of having password’s changed every few months or so, to the executives and then in turn, they’ve explained the benefits to the managers, but I’m pretty sure it stops there. This is how 10 of 15 calls went this morning,
Me: Hello, how can I help you?
User: It says to change my password.
Me: So change your password, can either logout then log back in or ctr + alt + del and change it that way.
User: This is so dumb, why do I have to change my password every few months?
Me: The Security benefits it provides are…
User: Well its dumb.
More of a rant, but how does everyone else make it smoother for users to go from a lazy insecure environment to a more involved, but more secured environment after spending 30+ years doing the same thing each day. All I’m trying to do is employ more secured practices, and then users talk at me like I’m stupid and just want to make there lives hell.
16 Spice ups
glomo
(The Glorious Morris)
2
“Because, it is industry standard practice, and while you may think it is dumb, there are a lot of trained security professionals who would disagree with you”
You get to call THEM dumb, without calling them dumb. 
9 Spice ups
Security training an education from the end-users manager is the only way to get this monkey off your back.
When you’re not the messenger, they’re less likely to grief you.
Cheers and Good Luck!
Andre
1 Spice up
nelsonsa
(Nelson9480)
4
Did no one think to send several emails over the course of several weeks to all the end users who would be affected? No mentions in any team meetings?
Our password policy is 60 days - they should be lucky we give them 60 days. Some places give only 30. Even with the complexity requirements. Passwords are pathetically poor here still.
My biggest complaint is users with Outlook accounts on their phones. As soon as the password change flag hits, and ActiveSync tries to access it. Boom the user locks themselves out by entering the wrong password.
2 Spice ups
Oh yea, we included all the manager in on the conversations between tech and executives, then to each of the managers for approval / answer any questions they had. Specifically was told, “Any training will be done by the managers” so I’m just really confused how I get to be the bad guy lol
maxsec
(maxsec)
8
variable to change passwd every X months, people just cycle passwds (mypass1, mypass2, .mypass3, back to mypass1)
even GCHQ says it’s not a hard and fast thing here…
2 Spice ups
A little over a year ago we went with a compromise and a lie. We started with a majority of accounts had ‘no expire’ set by the previous IT. The compromise: we went to 6 month password resets requirement policy and sold the story that the default Microsoft made is 90 days but the outside security audit guru’s wanted 30 days (the lie) and I told them no, it just won’t work for our users (champion and hero for the users!). Any time anyone asked, I’d sell them the compromise and lie.
I put together a power shell script to email everyone 14 days before their password expires with their accounts and services the password affects, complexity requirements, and instructions on how to reset their passwords. After some feedback that the email looked fake, I added my ugly mug holding up a sign “Change your password” which got a fevered response they could trust the message as legitimate. Password resets started happening 7+ days before expiration.
I started removing ‘no expire’ on all lower supervisor and user accounts and reset their last changed times so the scripts would take care of them. This caught a lot of the greener staff who just came on staff in the last year that just thought it was a normal thing to change passwords every 6 months. This kind of created a dogma or norm that passwords need to be changed so that when higher ups got caught in the password change sweeps and mentioned something, their direct reports would comment,“Oh yea, I’ve had to change mine, it said every 6 months”.
Then I moved to removing ‘no expire’ on all the middle management, then VP and up then reset their last password changed times. The scripts swept them up soon enough and since I had already smoothed out the alert email format, they were comfortable with the change.
Since the policy shift, I get an occasional call about helping someone change their password who are usually people that are fearful of breaking a computer and also the kind that are afraid of breaking a company owned sledge hammer. The other call I get is “I reset my password Friday and forgot it, help!” That is a completely understandable problem and of course we help reset it again. No problem.
6 Spice ups
mike6536
(Mightymike23)
10
Just send them that everytime they ask: “Why?”
2 Spice ups
corey901
(Corey901)
11
You should start out the conversation like something this…
“Please be aware we are recording this conversation to accurately get feedback to management”
or just direct them to management, “sorry i don’t make the policy i just enforce it. talk to you manager about your concerns.”
That might cut down on the complaining.
1 Spice up
cjnc
(C_J)
12
We enacted a password expiration policy at my company this year for the first time ever. When anyone asks why we need to do it, i just tell them the honest truth…
“The Board of Directors said we have to.”
1 Spice up
Never enter a battle of wits with an unarmed person.
Do not give the users an explanation just tell them it is company policy and everyone has to make the same adjustments.
1 Spice up
mg36572
(mgarner101)
14
Your internal policy should dictate why and when to change passwords. Point the users to that. If they have an issue with it, have them take it up with your manager or HR. What industry are you in BTW?
fman
(fcman)
16
the problem is and it is in the eyes of uneducated users:
My g-mail, ebay, amazon and anything else does not require me change my password every whatever days. Why do I have to change my password?
More ever We all agree there are a few users in any organization that it is better off if they never need to change their password for they end up call helpdesk every time or it is just pain to deal with them. Weather we let these people go as exception is a different matter. Some people are just not good at coming up brand new passwords, just jut keep it this way.
Personally I find it hard to understand why it is so difficult to do so, but with all these years I gave up on these people and I care less if they wrote down their passwords just to keep track of it. It really is not my problem.
My go to answer has been.
“Passwords have to change to meet security standards.”
And if they continue to complain.
“That’s just how it is and you’re gonna have to deal with it.”
User: “I don’t want to change my password.”
Me: “I don’t want to pay my taxes, but there ya’ go.”
1 Spice up
lenparker
(brokensyntax)
19
But your GMail, Ebay, Amazon etc. All do recommend regular password changes, and complex/long password usage in the initial sign-up/EULA and their FAQs.
Most corporate users end up just incrementing as there is no requirement on degree of difference. (Because thanks to the way hashing algorithms work, there is no method to securely test for the degree of difference between passwords, as any such test would in itself, be an attack vector.)
Due to this, it is important that passwords be cycled regularly as it means a smaller dataset between each password change against which someone could capture data and attempt to find the password.
Honestly, I don’t care if my users change their passwords or not. As long as they sign off accepting full responsibility for any and all security, privacy, or data related breaches in the company, and the C-Suite signs witness.
this is the direction my company has taken just this week, 20 character long passphrases that never expire. Yay for us!!!
