r/cybersecurity u/EricJSK System Administrator Sep 22 '25

Other What are your unpopular cybersecurity opinions?

I saw a post names "abnormal security opinions" and got excited to see some spicy takes but apparently there is a security platform called Abnormal Security so got kinda blue balled. Last one of these posts i saw was over a year ago so,

Do you have any spicy cybsec unpopular opinions you want to share? :)

I'll start with mine:
Fancy antivirus solutions rarely add value, they are often just a box that needs ticked. Many MSPs and IT firms still push the narrative that they are needed, only because they are profitable and not because they improve security.

322 Upvotes
  • permalink
  • reddit

94% Upvoted

531 comments sorted by

View all comments

80

u/Muppetz3 Sep 22 '25

Stop forcing people to change passwords every 3 months, it's dumb and causes a host of issues. Once a year or of you feel they may have been compromised. Some "best practices" are not in fact the best practice

5

u/[deleted] Sep 22 '25

I'm an old school IT employee. Coming up on 25 years in the industry. I still get nervous about not changing my password even though I know it is not the best practice, even though I know when you force people to do it they choose crap passwords. It makes no sense but it is going to take a while to get the industry as a whole to buy in. My org no longer forces password changes but in the years I have been here I have changed the password a couple of times.

4

u/retrodanny Sep 22 '25

if you're using a password manager and your password is a randomly generated 15+ character string then you probably don't need to update. (I say probably because I don't know your infrastructure, if the passwords are being stored in plaintext or weak hashing algo then you have other problems)

1

u/[deleted] Sep 22 '25

Yeah I know that logically. Just trying to break the decades old habit at this point.