Be more secure - step 2 - passwords

How often you should change passwords is one of those debates that flows backwards and forwards across discussion forums without settling on a definitive answer. If you force your users to change them too frequently, they’re likely to start sequencing passwords (e.g Monday1,2,3 etc) or writing them down. The default under Windows domains used to be 42 days. If you leave it too long, then passwords can remain known to wider teams and perhaps ex-employees.

For non-administrative passwords, we’d probably prefer quarterly changes as long as strong/long passwords are used. Highly complex passwords (such as ^&*njGJ6) are almost always going to get written down, so we prefer longer passwords of at least 12 characters (such as Tennis7$Egypt) or even better phrased passwords (so “I live in a 19th century cottage” – becomes Ilia19thCc). You shouldn’t re-use passwords across different accounts.

For admin accounts the Cyber Essentials standard dictates a change every 60 days or less. These changes should be diarised along with other housekeeping tasks.