Passwörter regelmäßig ändern? Nope!

Soll man seine Passwörter regelmäßig ändern, wie es in sehr vielen Unternehmen noch immer Teil der Security-Policy ist? Nein.

Our baselines are intended to be usable with minimal if any modification by most well-managed, security-conscious enterprises. They are also intended to serve as guidance for auditors. […] If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? […] Periodic password expiration is an ancient and obsolete mitigation of very low value […] By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.

Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903, Microsoft

Ein Passwortmanager und die konsequente Nutzung von Zwei-Faktor-Authentifizierung tun mehr für die Sicherheit als das Ändern von Passwörtern. (Abgesehen vom oben zitierten Microsoft-Dokument, gibt es bei Ars Technica ein paar Erklärungen, warum das erzwungene Ändern von Passwörtern mehr schlecht als recht ist.)