Re: @AC (@ Charles 9)
"Wouldn't this get noticed the next time the user tried to log in and found their password didn't work any more, regardless of when they last changed it?"Precisely the point!
If someone else changes a user's password without IT's knowledge (which is what an intruder would be forced to do if he stole account details and hits the forced-change deadline), then the real user would get locked out, find out about it, and inform IT. You WANT IT to be informed since that means a newly-detected breach.
Actually point the AC was making was that changing a hacker changing a users password would make the breach undetected until there was a monthly forced password changed, evidenced by the first line of the paragraph I was replying to :
It works as a countermeasure to undetected breaches.
What you say is logical, but my post was in response to the implied "forced regular password changes mean hacks are detected more quickly" of the original post.
(In reality, I think you'll find most hackers won't change the password as they wish to remain undetected, and will try to find a way to get the new password as soon as it's entered)
Biting the hand that feeds IT
