- Banned Password Lists – stopping users from using “12345678” and “Password1” is a great start. Enforcement of banned passwords keeps users from using known “bad” passwords.
- Multi-Factor Authentication – MFA is a must these days for literally every user within the organization. Even the mailroom clerk who only has access to email and a few shipping applications can be leveraged as an asset during an attack to spread malware throughout the organization via internal email.
Use of these two alternative controls will help offset the potential increased security risk found by no longer mandating that users change their passwords. Instead, educating users on the importance of good password self-hygiene, length, and complexity can have a more positive impact on security than password expiration – something Microsoft calls “an ancient and obsolete mitigation of very low value.”