Dev/Test Password Expiry 2264

  • I have recently been recruited as a Build and Environment Manager and want to change the current policy for password expiry on dev and test usernames.
    Currently the passwords on these accounts expire every 30 days as per the production accounts. I’m getting a lot of feedback from developers and testers asking why we need to change these accounts so often as they are, after all, only usernames that access dev and test environments.
    We currently suffer from a lot of password lock out issues and have to go to our out-sourced admin teams to unlock the accounts. This process can take quite some time and is very frustrating to the users.
    I recently raised a change to request that some accounts are changed to expire every 6 months rather than 30 days. The change was rejected on the basis that the SOX audits require use to delete all inactive accounts after 60 days, to achieve this we must expire passwords after 30 days and then if that password is not reset after another 30 days, the account is disabled.
    I can understand the logic in this for production systems but this seems a little OTT for dev and test, does SOX distinguish between production and non-productions systems? Does this policy sound right to you guys? Are there any workarounds?

  • Best practice would be no more than 90 days for expiry - so it was right to reject 6 months as too long.

  • What is the real risk in not implementing the password controls for Dev and Mock?
    As long as we ensure periodic review of users on these environments and ensure that access is restricted on ‘need to know’, i really do not see any risk in not implementing password controls for the above environments

  • I agree with Denis that 90 days should be seen as the max and that 6 months is too long. As I work in differing domains, I have both 30 and 90 day durations on passwords. 30 day durations are indeed painful to keep up with.
    As an idea, you might compromise to 60 days the 30 day to deactivate. As a 2nd choice, you could move to 90 days with no 30 day window for account deactivation.
    I believe 90 days is acceptable, as long as this process is very well controlled.

Log in to reply