Hit 500 days without a password reset and honestly it's a terrible metric

I work in IT security and my company brags about users going 500+ days without a password reset. Everyone treats it like a win but it actually scares me. All it means is nobody is changing their passwords even when there's a breach alert or a known vulnerability. I checked the logs and saw 40% of those users had the same password from 3 years ago. That's not security, that's just complacency with extra steps. Why are we celebrating people who refuse to update their credentials when we know breaches happen every month?

2 comments

2 Comments

ryan9529h ago

Ngl I was one of those people who thought it was cool to hit those long streaks without a reset. I'd see the notification and be like "heck yeah, another month without having to come up with a new password." But reading this actually flipped a switch for me. You're totally right that it's not a flex, it's just people being stubborn or lazy about security. I guess I never looked at it from the IT side where those untouched credentials are basically a ticking time bomb.

grant.luna8h ago

You said "heck yeah, another month without having to come up with a new password" and I get that feeling, but coming up with a new password doesn't have to be a nightmare. A password manager can handle all that for you, so you're not actually making the choice to be lazy about security. It just takes a few minutes to set one up and then you never have to remember another password again.