As a company we want every user to renew the masterpassword every x month.
There is no setting available yet.
Uughh. Why, if you don’t mind me asking? Personally, I feel like these sorts of policies undermine the protections offered by password managers rather than enhance them, although I do realize there are exceptions.
3 Likes
Yeah, this is against current best practice. If you ask your staff to come up with a strong, memorable password, then make them change it every month/every quarter/etc., they are either going to (a) write it down or (b) just change one digit at the end of the password. There’s no additional security, just inconvenience for your users. Only enforce a password change if there’s a suspicion that a password has been compromised.
2 Likes
If you are still a fan of this “change your password”-idea, please take a look at this:
Nist.gov:
“Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.”
Source: https://pages.nist.gov/800-63-3/sp800-63b.html#sec10, see below 10.2.1 under Memorized Secrets
Because of your name I assume that you speak some German.
Therefore you also might want to take a look at this article:
And finally a personal note:
Whenever I was forced to change my password on a regular basis both me and everyone who told me about this just added a counter or date to the “regular” password.
2 Likes