Password rotation policy when passwordless
Posted by RuggedTracker@reddit | sysadmin | View on Reddit | 14 comments
Hello. My workplace is facing a new ISO27001 audit soon, and I hoped to get some feedback on our password policies.
Since the last audit, we have moved most accounts to be "passwordless." People can only log in using passkeys (primarily WHFB, but some use physical passkeys or phone passkeys), one-time passwords, or an authenticator app. Some service accounts are exempt from this, and guest accounts just require MFA in general.
Part of me wants to remove the conditional access policies that force password changes on risky sign-ins, but I worry about the audits. If no one remembers their password, it is just a wasted few minutes making them reset it, but I also don't want to fail the audit.
I think we passed our last audit by being lucky, not by being compliant, so I don't want to risk anything. Any feedback or personal anecdotes are appreciated :)
Pandthor@reddit
You should coordinate this with your CISO.
Basically ISO27001 wants the company to do an information security risk assessment and then to write a bunch of policies to address those identified risks and then to actually follow those policies in their operations. There is a lot more to it but this is the relevant part for your question and worry.
What is important from ISO27001 perspective is that the company does as is written in the company policies and approved exceptions to policies are listed.
Also one just doesn’t fail an ISO27001 audit. If the auditor finds non-conformities (minor or major ones) then the auditor requests the company to create a reasonable plan to address those non-conformities and fix them. The audit is passed once the non-conformities are addressed.
I hope this this helps and gives you confidence for the audit. You’ll do great if you follow the written policies and keep a list of approved exceptions that apply to your work, ask when in doubt, and keep track of what has been improved lately (and why) to show continuous improvement. Then there’s a bunch more if you are the CISO or a part of the senior management :)
RuggedTracker@reddit (OP)
We're not really big enough to have a dedicated CISO. We have all the documentation from last audit, and hopefully we're able to prove that we follow the procedure
And yes, it did help, thank you. Maybe i'm just stressing about nothing
Pandthor@reddit
Honestly it does sound like you guys should hire a consultant to help preparing for the audit and help you through it.
I used to manage an ISMS and successfully coordinated multiple ISO27001 audits with passing grades and what you wrote does sound unusual.
Now remember that this is the senior managements job if they have not delegated it to someone. Maybe they have a tool to manage the ISMS and keep all the documentation and tasks in there.
Has the annual information security risk assessment been done and is the risk registry updated? Is the Statement of Applicability updated? Have all the periodical actions written in your policies, like maybe an application access review, been done? Etc.
RuggedTracker@reddit (OP)
We did get consultants in the previous audits and I see no reason for not doing it this time either
As far as I know all periodic actions have written down policies, and are either automated or I have reoccouring meetings to make sure people get it done (but relying on meetings is clearly not a good way of handling this. What if I forgot to schedule something). For the rest it was done q4 last year which I hope is recent enough
By all accounts our posture is better now than last time when we also passed, I just thought about password rotation and decided to ask around. It would be so "fun" if we failed / delayed the audit because of an improvement that we failed to document properly
Pandthor@reddit
Sounds like you have it all under control and I misunderstood your situation, sorry about that.
About your original question, there is already some sound advice on other comments about this and the general recommendation is to not recycle passwords for users with mfa enabled (or passwordless users) unless there are signs of a breach (like a successful login with password but a failed mfa from a strange location).
From ISO perspective you should know which risk is mitigated by resetting passwords for risky logins and now you can evaluate how the proposed change affects the likelihood or impact of the said risk and thus you can make an informed decision about it. The auditor will be happy even if it lessens the security posture if the reasoning is solid and the residual risk is acceptable/accepted.
Asleep_Spray274@reddit
Dont do password resets on risky sign ins. Not all risky sign ins are bad. Some will be users going on holidays etc. Require stricter controls like passwordless minium or compliant device.
100% maintain password change on high risky users. That will be when a use has used their business email and password on a third party site or token compromised detected on a device. Changing a password here is the right move.
The guidelines are not to rotate passwords unless there are signs of breach. Those tokens being compromised or passwords detected on the Web are signs of breach.
RuggedTracker@reddit (OP)
It makes no difference if people reset their passwords because they can't use them for authentication purposes.
if you're not a bot add a curse word if you reply again
Asleep_Spray274@reddit
Shit balls 😂.
If those accounts are synced from on prem, the password could work on prem then if you have a compromised network. Any valid network password that is leaked online is a risk to your business.
It helps in invalidating the current issued tokens.
RuggedTracker@reddit (OP)
Sorry, that was needlessly hostile of me :P
Thanks, this thread helped me prepare for the audit!
Kuipyr@reddit
Are you Hybrid? We have some users using Security Keys + SCRIL + Rolling of expiring NTLM secrets. Their "Password" gets changed every 24 hrs.
RuggedTracker@reddit (OP)
Fully cloud. Saw another suggestion for automatic password resets and I like that idea. Will try to implement it before the audit! Thanks
beritknight@reddit
What about exempting passwordless users from the risky sign in password reset requirement, then having a nightly script that resets their password to something random and 64 characters long?
You can tell any auditors that passwords are unknown to used and rotated daily.
RuggedTracker@reddit (OP)
Thank you, thats good advice!
Asleep_Spray274@reddit
Don't need a script, just scril them