I am studying for my Sec+ and I just watched the video on password policies. Now I want opinions on password expiration. Microsoft states to "Don't require mandatory periodic password resets for user accounts" which basically means don't require password expiration. (https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide#password-guidelines-for-administrators). What should I expect from Sec+ will they want password expiration and in real world pratice is it better to not require password expiration?
Solved Password Expiration Policy
@Paris-Robinson , I hope all is well. Great question, & it can be confusing based on a first read of the guidance... But, let's look a bit deeper..
The article that you cite from Microsoft goes on to also recommend the use of Multi-Factor Authentication (MFA) challenges as part of the policy approach in combination with the other items discussed, which helps us to build a Defense in Depth architecture/approach to the IAAA process overall.
This is where the industry is, and has been for a few years now, and is the accepted approach that should be used.
In terms of the exam, the best approach is to read the question carefully and make sure that you understand what is being asked before you answer...
For instance, you may get asked a question that indicates that you must ensure that all users reset/change their password due to some sort of issue... what is the best approach? --> Password Expiration
Or, you could be asked whether password expiration would help with password reuse... --> NO, it would not
It just depends on the context of the question... Your job on any exam is to read carefully, understand the question as asked, and answer that question only, not the one that you think should have been asked, or would prefer to answer....
I hope that helps...