À quelle fréquence devez-vous changer vos mots de passe ? Conseils IAM

1 Pourquoi changer les mots de passe ?

La modification des mots de passe peut aider à empêcher l’accès non autorisé à vos comptes et à vos ressources, en particulier si vos mots de passe sont compromis par l’hameçonnage, les logiciels malveillants, les violations ou d’autres attaques. En changeant régulièrement vos mots de passe, vous pouvez limiter l’exposition et les dommages d’un mot de passe volé, et rendre plus difficile pour les attaquants de deviner ou de déchiffrer vos mots de passe. La modification des mots de passe peut également vous aider à vous conformer aux normes réglementaires ou organisationnelles qui exigent l’expiration des mots de passe.

Ajoutez votre point de vue

Pradeep Rao

Director and Chief Architect @ Kyndryl || Peer Community Ambassador @ Gartner || Top Voice @ LinkedIn
Signaler la contribution
The primary rationale behind regular password changes lies in enhancing our organization's cybersecurity posture. Proactively changing passwords serves as a fundamental defense mechanism against evolving threats such as phishing, malware, and data breaches. By doing so, we minimize the risk of unauthorized access, limit potential damage, and align with regulatory and organizational standards. This practice is essential to staying ahead of cyber threats and safeguarding our digital assets.

Texte traduit

J’aime

Inutile
Manas Chaturvedi

Assistant Manager | KPMG | Digital Trust | CISM(Q) | CISA(Q) l CCSK | CC(Q) | CCSFP | AWS CCP
Signaler la contribution
The security best practices to be followed for an organisation will depend on various factors such as organization's culture ( risk averse or prone) , industry operating in, regulatory requirements etc. Basis these factors, the security baseline and best practices are defined. Similarly there's no fixed frequency of changing password as that as well depends on above mentioned factors. However some of the prevalent practices organisation follow are - 1. Password to be changed on first logon and same is communicated by a secure means. 2. Password are set to expire defined intervals. 3. Password to be changed incase of any incident or if there's doubt of leak or compromise. 4. If someone with knowledge of shared password leaves the firm etc.

Texte traduit

J’aime

Inutile
Julie Chatman, MBA, CISM, CIO, CISO

Cybersecurity Strategy | Digital Risk | Cyber Risk & Resilience | Technology Transformation | Information Security | AI | CISO | CIO | Healthcare | Navy Veteran | FBI Alum | McKinsey Alum | Chief Member | Board service
Signaler la contribution
Password change rules should be based on to: -regulatory requirements -information sensitivity -organizational risk appetite ⚠️ Seen in the wild: Frequent password change requirements can lead to users writing passwords down

Texte traduit

J’aime

Inutile
Santosh Tripathi
Signaler la contribution
The frequency at which IAM (Identity and Access Management) policies should require users to change passwords depends on various factors, including organizational security requirements, industry regulations and risk tolerance. However, here are some general guidelines: 1. Set password change intervals at 45 to 60 days for a balance between security and usability. 2. Consider more frequent changes for privileged accounts and sensitive data access. 3. Ensure compliance with regulations like PCI DSS or HIPAA regarding password change requirements. 4. Adapt policies based on user behavior and emerging threats to maintain a strong security posture.

Texte traduit

J’aime

Inutile
Óscar T.

Identity and Access Management Expert I Security Delivery Lead @ Kyndryl I CyberSecurity Professional
Signaler la contribution
Mi recomendación es si puede ir hacia sistemas sin contraseña. Algunos proveedores por ejemplo Microsoft ya ofrece soluciones sin contraseñas tanto para usuarios como para cuentas de servicio (GMSA). Si necesita contraseñas, al menos debe asegurarse de combinarlas con otros sistemas como MFA, sistemas biométricos y sobre todo cambiarlas de forma regular, esto evitará compromisos de identidad y reducirá el tiempo que un atacante puede preparar su compromiso. Contra menos tiempo los atacantes dispongan de identidades menos elaborado será el ataque.

Texte traduit

J’aime

Inutile

Charger plus de contributions

2 Pourquoi ne pas changer les mots de passe ?

Changer les mots de passe trop fréquemment peut également présenter certains inconvénients, tels que la réduction de la productivité des utilisateurs, l’augmentation des coûts d’assistance et l’encouragement de mauvaises habitudes en matière de mots de passe. Les utilisateurs peuvent avoir du mal à se souvenir ou à gérer plusieurs mots de passe qui changent souvent, et avoir recours à les écrire, à les réutiliser ou à choisir des mots de passe faibles ou prévisibles. Cela peut aller à l’encontre de l’objectif de la modification des mots de passe et augmenter le risque de compromission. De plus, la modification des mots de passe peut ne pas être efficace contre certains types d’attaques, telles que les enregistreurs de frappe, le détournement de session ou le bourrage d’identifiants.

Ajoutez votre point de vue

Sandeep Deswal

20K+ followers | CCSP | Life Long Learner | Multi Cloud Security Architect | M365 | Cloud Security | CSPM | Zero Trust | CNAPP | CIEM | DevSecOps | DevOps | Kubernetes | BCDR | Enterprise Architecture | CyberArk
Signaler la contribution
Go for passwordless if possible and password change depend on types/tiers of accounts. There is one specific NIST document which talks about password best practices.

Texte traduit

J’aime

Inutile
Adrian O.

AiSP Validated Information Security Professional (AVIP) | CISSP | ELISHA Graduate
Signaler la contribution
Increased burden on users: Frequent changes can be inconvenient and lead users to choose weaker, easier-to-remember passwords that defeat the purpose. Limited effectiveness: Studies have shown mandatory changes don't significantly improve security compared to focusing on strong password creation and other measures. Risk of password reuse: Users may simply cycle through variations of the same password, negating the security benefit.

Texte traduit

J’aime

Inutile
Ganesh Unavane
Signaler la contribution
Encourage users to change their passwords regularly, typically every 60 to 90 days, to reduce the risk of unauthorized access. This is a tried and tested approach Enforce a strong password policy that includes requirements for length, complexity Educating users on creating strong passwords, recognizing phishing attempts, and understanding the importance of password security.

Texte traduit

J’aime

Inutile
Óscar T.

Identity and Access Management Expert I Security Delivery Lead @ Kyndryl I CyberSecurity Professional
Signaler la contribution
La seguridad es una balanza que se invierte normalmente con la productividad. Los sistemas mas seguros suelen ser complejos y requerir mas tiempo para realizar operaciones, no obstante el beneficio de evitar un incidente de seguridad es muy alto y compensa los inconvenientes de los usuarios. Todo sistema bajo contraseña debe cambiarse de forma recurrente, si a sus usuarios les genera problemas puede adquirir productos que auto generen las contraseñas y sobre todo asegúrese que sus usuarios almacenan esas contraseñas en repositorios seguros, un VAULT de un sistema cifrado es una buena opción. Evite en la medida de lo posible ficheros keepass que pueden ser copiados y vendidos en darkweb.

Texte traduit

J’aime

Inutile
Lachlan Christie-Adams

Cyber Security Analyst | S+ | A+ | CC
(modifié)
Signaler la contribution
Changing passwords too often may diminish user productivity, escalate support costs, and foster poor password habits. Users struggling to remember or manage frequent password changes might resort to risky behaviours like writing them down or using weak passwords, undermining the very purpose of the policy. Moreover, frequent password changes might not effectively counter certain attack vectors such as keyloggers, session hijacking, or credential stuffing.

Texte traduit

J’aime

Inutile

Charger plus de contributions

3 À quelle fréquence faut-il changer les mots de passe ?

Il n’y a pas de réponse unique à la question de savoir à quelle fréquence vous devez changer vos mots de passe ; Cela dépend de la sensibilité et de la valeur de vos données, du paysage des menaces et du niveau de risque, de la force et de la complexité du mot de passe, des méthodes et mécanismes d’authentification, ainsi que de l’expérience et du comportement de l’utilisateur. Toutefois, certains principes généraux et recommandations peuvent vous aider à déterminer une fréquence raisonnable pour vos stratégies IAM. Par exemple, les mots de passe doivent être changés au moins une fois par an ou plus souvent si vous soupçonnez ou détectez une compromission ou si vous utilisez le même mot de passe pour plusieurs comptes. Les mots de passe doivent également être longs et aléatoires, en évitant les informations courantes ou personnelles telles que les noms, les dates ou les mots. Pour assurer la sécurité, utilisez un gestionnaire ou un générateur de mots de passe pour créer et stocker des mots de passe. Authentification multifacteur (AMF) Il est également recommandé d’ajouter une couche de sécurité supplémentaire au processus de connexion ; Cela peut réduire le besoin de changer fréquemment de mot de passe, car il est plus difficile pour les attaquants d’accéder aux comptes avec un simple mot de passe. Enfin, éduquez les utilisateurs sur la façon de créer et de gérer leurs mots de passe en toute sécurité, sur la façon de reconnaître les attaques de phishing et sur les avantages de changer leurs mots de passe. Fournissez également des instructions et des commentaires clairs aux utilisateurs.

Ajoutez votre point de vue

Ahmed Nabil Mahmoud, MVP, CCISO, CISSP, CISM

Information Security & Technology Director helping Organizations in Secure digital transformation | MBA | MSc Business Information Technology | Award Winner | Global Speaker | PMP | ISO 27001 LI/LA | CCISO Advisory Board
Signaler la contribution
In my experience, the main factors to determine frequency will depend on environment maturity, regulatory mandates and industry specific best practices. For sure we cannot rely on passwords only but rather MFA and Biometric login nowadays are becoming defacto.

Texte traduit

J’aime

Inutile
Festus Oriaku

Cyber Security Architect || Threat Hunter || Security+ || CEH || CTIA || ITIL || CC || CAP || CNSP || C3SA || QCS || CTM || 8x Microsoft Certified || 2x ISO/IEC || Application Security Engineer
Signaler la contribution
The frequency of password changes in IAM policies should strike a balance between security and usability, tailored to the organization's risk tolerance and security requirements. While periodic changes are important to mitigate the risk of unauthorized access, excessively frequent changes can impact user experience without significantly enhancing security. It's crucial to reassess IAM policies regularly, considering factors such as data sensitivity, likelihood of password compromise, and effectiveness of other security measures, to ensure alignment with evolving threats and industry best practices.

Texte traduit

J’aime

Inutile
Nitin Sharma

Cyber Security Architect | Security Enthusiast & Advisor| Mentor| International Customer Success(iCSU) Microsoft, EMEA
Signaler la contribution
The goal of requiring regular password changes is to minimize the risk of unauthorized access due to compromised credentials. However, organizations should balance security requirements with user convenience and usability, as overly frequent password changes can lead to user frustration and potentially weaken security if users resort to predictable or easily guessable passwords.

Texte traduit

J’aime

Inutile
Eduardo Díaz Rodríguez

SR Cloud Solution Architect for Security & Infra for Partners
Signaler la contribution
One every year or 2 years is the best if you use 2FA and one password manager with a hardware key, change the password with more frequency only increase the possibility to forget it

Texte traduit

J’aime

Inutile
Óscar T.

Identity and Access Management Expert I Security Delivery Lead @ Kyndryl I CyberSecurity Professional
Signaler la contribution
En mi experiencia las contraseñas de usuarios deben cambiarse entre los 30 y 45 días. Las contraseñas de cuentas de servicio o tareas programadas deberían cambiarse una o dos veces al año. Y las contraseñas de cuentas compartidas deberían cambiarse tras cada uso.

Texte traduit

J’aime

Inutile

Charger plus de contributions

4 Comment appliquer les politiques de mot de passe ?

Pour appliquer des stratégies de mot de passe qui obligent les utilisateurs à modifier régulièrement leur mot de passe, vous devez utiliser des outils et des systèmes IAM qui vous permettent de définir et d’appliquer des règles et des normes de mot de passe à l’ensemble de vos comptes et ressources. Par exemple, vous pouvez utiliser un logiciel ou des services IAM qui vous permettent de définir des dates d’expiration de mot de passe, des exigences de complexité, des restrictions d’historique et des paramètres de notification. Vous pouvez également utiliser des plates-formes ou des frameworks IAM qui s’intègrent à vos applications et systèmes existants, et fournissent une gestion et une application centralisées et cohérentes des mots de passe.

Ajoutez votre point de vue

Adrian O.

AiSP Validated Information Security Professional (AVIP) | CISSP | ELISHA Graduate
Signaler la contribution
IAM Password Policy settings: Use AWS IAM's built-in policy settings to: Define minimum password length, character diversity, and prohibited patterns. Allow users to change passwords (optional). Set password history to prevent reuse. IAM Identity Provider: Leverage features like password expiration and complexity requirements. MFA: Implement multi-factor authentication for an extra security layer. Education and awareness: Train users on password hygiene and best practices.

Texte traduit

J’aime

Inutile
Lachlan Christie-Adams

Cyber Security Analyst | S+ | A+ | CC
Signaler la contribution
To implement periodic password changes, utilize IAM software or services enabling customization of password expiration dates, complexity standards, history restrictions, and notification settings. Choose IAM platforms or frameworks that seamlessly integrate with existing applications and systems, ensuring centralized and consistent password management. This integrated approach not only enhances security but also streamlines the enforcement process.

Texte traduit

J’aime

Inutile
Ashish Kumar

IT Infrastructure and Security Consultant @ Sprintechies | Data Science | Python, SQL
Signaler la contribution
Enforce password complexity rules that require a minimum length and a mix of uppercase, lowercase, numeric, and symbolic characters. This makes passwords harder to crack or guess by brute force or dictionary attacks. Allow users to change their own passwords, but also monitor and audit password changes for any suspicious activity. This gives users more control and convenience over their passwords, but also allows administrators to detect and respond to any potential breaches.

Texte traduit

J’aime

Inutile
Juan Carlos Pascual CISA, CISM, CSSLP

CISO Capgemini CIS Spain
Signaler la contribution
IAM software always has a policy module where you can implement the behavior of the system when a password is old or weak. Please, use it and educate your users. It is no costly and it will give you very good outcomes.

Texte traduit

J’aime

Inutile
Óscar T.

Identity and Access Management Expert I Security Delivery Lead @ Kyndryl I CyberSecurity Professional
Signaler la contribution
Intente integrar en un mismo sistema sus cuentas y evitar tener diferentes repositorios, de esta forma podrá unificar políticas y criterios. Por ejemplo puede federar servicios con SAML y de esa forma autenticar muchas aplicaciones con Azure AD/Entra o integrar sistemas en Active Directory. Para sistemas no Windows IDM de redhat es una buena opción.

Texte traduit

J’aime

Inutile

5 Comment surveiller et examiner les politiques de mots de passe ?

Pour vous assurer que vos politiques de mots de passe sont efficaces et appropriées, vous devez surveiller et évaluer régulièrement leur impact et leurs performances. Vous pouvez utiliser des mesures et des rapports IAM qui suivent et mesurent les activités et les événements liés aux mots de passe, tels que les modifications, les réinitialisations, les échecs, les violations ou les plaintes de mot de passe. Vous pouvez également utiliser des audits et des évaluations IAM qui vérifient et valident vos politiques et pratiques en matière de mots de passe, et identifient les lacunes ou les problèmes qui doivent être résolus ou améliorés. En surveillant et en examinant vos politiques de mots de passe, vous pouvez les ajuster et les optimiser selon vos besoins, et vous assurer qu’elles répondent à vos objectifs de sécurité et de convivialité.

Ajoutez votre point de vue

Julian Cohen

Risk Philosopher, Program Builder, CISO, Advisor, Investor, Board Member, Researcher, Security, Governance, Risk, Compliance, TechOps/IT, and Corporate Governance
(modifié)
Signaler la contribution
The most important thing to monitor is not your password policies, but compromised credentials (passwords) and password reuse. To monitor compromised credentials, you can use dark web monitoring, breach notification, and ATO protection services. To monitor reused passwords, you can use enterprise reporting from your password manager, which should include reports like users with reused or similar passwords across multiple websites, compromised passwords, simple passwords, and accounts without 2FA. These can be addressed by your identity or enterprise security teams as necessary.

Texte traduit

J’aime

Inutile
Sreenu Pasunuri

Orchestrating Cybersecurity Excellence with Passion and Precision | CISA | CRISC | ISO 27K LA | 🤝🏻20K+ |
Signaler la contribution
1. SIEM systems collect and analyze log data from various sources, including authentication systems, to detect and respond to security incidents. They can be configured to monitor password changes and alert administrators to any suspicious activities. 2. For Windows environments, Active Directory provides built-in auditing features that can track password changes, including the username, date, and time of the change. Administrators can enable auditing policies and review audit logs periodically. 3. PWD Management Solutions: Some password management solutions offer auditing capabilities to track password changes across an organization's systems and applications. These solutions can provide detailed reports on password-related activities.

Texte traduit

J’aime

Inutile
David O. Humphrey, MBA

Information Security Compliance Engineer | Army Veteran | Member of Information Systems Security Association (ISSA) Denver
Signaler la contribution
Monitoring can be done with logging such as with a SIEM and ensuring policies are in place to alerts. Additionally, password and logging policies should be establish in a written form, reviewed, and signed off by leadership for enforcement. AD is a great tool for enforcing password policies. Reoccurring audits of password and logging controls are considered best practice for ensuring your organization aligns with industry standard security best practices.

Texte traduit

J’aime

Inutile
Lachlan Christie-Adams

Cyber Security Analyst | S+ | A+ | CC
Signaler la contribution
In my experience, ensuring the effectiveness and appropriateness of password policies requires regular monitoring and evaluation. Leverage IAM metrics and reports to meticulously track password-related activities like changes, resets, failures, breaches, and user feedback. I suggest incorporating IAM audits and assessments into your routine. These evaluations verify and validate password policies, identifying any gaps or issues that demand attention or improvement. Through consistent monitoring and review, gain insights into policy performance, facilitating timely adjustments and optimizations to meet evolving security and usability goals.

Texte traduit

J’aime

Inutile
Lorena Guevara

Analista BI en Conclina
Signaler la contribution
Existen herramientas que permiten evaluar la complejidad de las contraseñas en su creación, se puede configurar el grado de complejidad y recomendar a los usuarios la selección adecuada de contraseñas semi complejas que permitan controlar la administración por aplicación

Texte traduit

J’aime

Inutile

Charger plus de contributions

6 Voici ce qu’il faut prendre en compte d’autre

Il s’agit d’un espace pour partager des exemples, des histoires ou des idées qui ne correspondent à aucune des sections précédentes. Que voudriez-vous ajouter d’autre ?

Ajoutez votre point de vue

Ganesh Unavane
Signaler la contribution
Here are some additional things to consider Implementation of MFA will add an extra layer of security beyond passwords using methods such as SMS codes, authenticator apps, or hardware tokens. Educating users to store passwords securely using cryptographic hashing algorithms to protect against unauthorized access. Making the password change process intuitive and user-friendly to encourage compliance and reduce frustration. Conducting regular security assessments and audits to identify weaknesses in the password management system would help a lot .

Texte traduit

J’aime

Inutile
Rick Hein

Cybersecurity people leader helping others avoid the mistakes I've made in the past (both cybersecurity and otherwise)...
Signaler la contribution
This question is about password change policies, when the reality is, we should NOT rely on passwords alone for authentication. If a password is not complex enough, or is popped via some other means, then it is worthless. MFA should be used EVERYWHERE. Most organizations use O365, and as such, Microsoft Entra is included for FREE. There is ZERO excuses for not using MFA.

Texte traduit

J’aime

Inutile
Lachlan Christie-Adams

Cyber Security Analyst | S+ | A+ | CC
Signaler la contribution
Another valuable insight is the impact of user education. Organizations often underestimate the power of robust user training programs. Educating users about the rationale behind password policies, potential risks, and secure practices fosters a culture of cybersecurity awareness. This not only enhances compliance but also reduces the likelihood of password-related issues.

Texte traduit

J’aime

Inutile
Bruno Barbalho

Gerente de Segurança da Informaçao e Compliance na Epson do Brasil
Signaler la contribution
Além de definir a frequência de alteração de senhas, é importante implementar outras medidas de segurança, como senhas fortes, autenticação multifator, monitoramento de atividades suspeitas e educação contínua dos usuários sobre boas práticas de segurança cibernética. Essas práticas complementares ajudam a fortalecer a postura de segurança da organização e a mitigar os riscos de comprometimento de dados.

Texte traduit

J’aime

Inutile
Leonardo T.

Head of Audit and Compliance | Governance | Specialist in Risk Management and Internal Controls | Fraud Prevention | Information Security | Privacy and Data Protection | Anti-Money Laundering
Signaler la contribution
From the legal perspective of the responsibility of the user (customer) and the company (bank) in terms of the use and protection of passwords. In a scenario of legal dispute between 1) the customer of a Bank who noticed the movement of undue financial balances by someone who obtained the customer's password and 2) the Bank that held the customer's money and that implemented sufficient IS measures. I have seen scenarios in which the court decision was favorable to the customer because the Bank did not demonstrate all applicable IS measures, on the other hand, results favorable to the Bank because the customer would not have been diligent with their password. It is important to pay close attention to the legal consequences of IS practices.

Texte traduit

J’aime

Inutile

Charger plus de contributions

À quelle fréquence les stratégies IAM doivent-elles obliger les utilisateurs à modifier leurs mots de passe ?

1

2

3

4

5

6

1 Pourquoi changer les mots de passe ?

2 Pourquoi ne pas changer les mots de passe ?

3 À quelle fréquence faut-il changer les mots de passe ?

4 Comment appliquer les politiques de mot de passe ?

5 Comment surveiller et examiner les politiques de mots de passe ?

6 Voici ce qu’il faut prendre en compte d’autre

Sécurité de l'information

Notez cet article

Nous vous remercions de votre feedback

Plus d’articles sur Sécurité de l'information

Lecture plus pertinente

À quelle fréquence les stratégies IAM doivent-elles obliger les utilisateurs à modifier leurs mots de passe ?

1

2

3

4

5

6

1 Pourquoi changer les mots de passe ?

2 Pourquoi ne pas changer les mots de passe ?

3 À quelle fréquence faut-il changer les mots de passe ?

4 Comment appliquer les politiques de mot de passe ?

5 Comment surveiller et examiner les politiques de mots de passe ?

6 Voici ce qu’il faut prendre en compte d’autre

Sécurité de l'information

Notez cet article

Nous vous remercions de votre feedback

Explorer d’autres compétences