See I think this is where in general people in it misunderstand the impact.
Like, if it’s -40 and your furnace breaks, who is having the worse day, you or the furnace repair man?
The repair man might be grumbling because they have to do their job, but you’re grumbling because you’re freezing. You both might be grumbling, but by way of impact there is a massive asymmetry in impact.
That repair man is going around to many peoples freezing houses. They are also freezing their butts off all day. And not just one period in winter, every single day of winter.
And when they fix a house, they don’t get to enjoy the warmth afterwards. They have to go to the next freezing house.
This is exactly my face when IT is telling me the rules for my passwords.
Sorry, those rules come from our cybersecurity insurance, or some compliance rules.
We hate them as much as you do.
Then why are they different between systems? Do you have different insurers per application?
Those other applications come from an external vendor, we only provide the VM to run them.
We hate those even more than you do.
You can’t
Every single issue that occurs with those applications gets thrown in our laps to fix.
This includes all of yours as well as all your colleagues.
See I think this is where in general people in it misunderstand the impact.
Like, if it’s -40 and your furnace breaks, who is having the worse day, you or the furnace repair man?
The repair man might be grumbling because they have to do their job, but you’re grumbling because you’re freezing. You both might be grumbling, but by way of impact there is a massive asymmetry in impact.
But that is only looking from one perspective.
That repair man is going around to many peoples freezing houses. They are also freezing their butts off all day. And not just one period in winter, every single day of winter.
And when they fix a house, they don’t get to enjoy the warmth afterwards. They have to go to the next freezing house.
Understand that impact.
What applications do you have that IT controls the password requirements for?
IT controls your AD credential requirements in most cases and that’s pretty much it. It sounds like your employer needs to implement an SSO solution.
It is the AD credentials. It’s a fortune 500 company and it doesn’t even come close to NIST recommendations.
We have like 3 different ADs as a result of mergers and acquisitions, and the requirements are all different.