Re: Rules and Password Timeouts
Ha ha - ten passwords where you can't reuse parts of the password?
Let me see - i recon I could go round the loop and use up 9 passwords in such a way that a tenth password would be impossible.
Then make the IT guys reset the whole thing - social engineering, job done.
In the case above an undetected access would go undetected for 6 whole months - so why not age the password once a week? Or once a day? Surely, 6 months is an intolerable amount of time to let your attacker in unfettered?
One other thing that I haven't seen mentioned above - apologies if I missed it - every login system should tell you when you last logged in as a matter of course. That helps the end user spot intrusions and then they can help the process by changing their password. Most do not do this, notable exceptions being HMRC (wow - they do one thing right!) although they too use the easily hackable SMS method of 2FA.