Presently sponsored by: Kolide is an endpoint security solution for teams that want to meet SOC2 compliance goals without sacrificing privacy. Learn more here.

Geez it's nice to be home 😊 It's nice to live in a home that makes you feel that way when returning from a place as beautiful as Bali 😊 This week's video is dominated by the whole discussion around this tweet:

I love that part of the Microsoft Security Score for Identity in Azure improves your score if you *don't* enforce password rotation, what a sign of the times! Who out there still works somewhere that forces rotation (because "reasons")? pic.twitter.com/a2yQQvNRpa

— Troy Hunt (@troyhunt) October 6, 2022

I love this for the way it throws traditional logic out the window, logic we all knew sucked and I suspect the massive engagement the tweet drove is due to precisely that: Microsoft giving us all a good reason to whinge about a sucky practice that still prevails so broadly. So... I hope you enjoy listening to just how bad enforced password rotation sucks 😊

References

1. We've known that mandatory password rotation has passed its used by date for years now (that blog post was actually the genesis for Pwned Passwords)
2. The Bhinneka breach went into HIBP (Indonesian e-commerce service with 83% of pwnees being repeat visitors to HIBP)
3. The Wakanim breach also went in, a pretty fresh one from 6 weeks ago (actually thought this was quite under-reported for an incident impacting 6.7M people)
4. Sponsored by: Kolide can help you nail third-party audits and internal compliance goals with endpoint security for your entire fleet. Learn more here.