Tracking User Passwords
It’s been a long time since this came up, but with all the remote access changes in the last few weeks, the topic of who knows the users’ passwords has come back to the top of our clients’ minds.
We don’t track your users’ passwords. We never have, we don’t now, and we don’t see this changing in the near future. There are a couple of very good reasons.
A user can choose to change their password any time they wish. We cannot see their password anyway, so we would have no way to know what they changed it to.
In fact, when we setup a new user, we send a temporary password. As soon as they log in for the first time, they are prompted to change the password right away. You’ve probably run into this when you’ve been given a temporary password for a website login; same idea. This provides safety for you and for your user. No one has the new password except the user.
We can change a password for any user, any time you need this done. If a user’s account has been compromised, or their computer is lost, we can change the password right away. If they’re leaving your company or you’ve released them, we can change the password.
One other thought—we recommend requiring users to change their passwords every 90 days. We know that many people use the same password on other sites. Requiring a change every 90 days limits the risk of compromised passwords in your environment.
When it comes to the users’ login and password, we do not and cannot track their passwords. A user can change their password any time they wish. We can change their password any time you wish! —CMW