Password age is
relevant because time is really what you are up against when dealing with
stolen credentials. The 17-and-a-half-year-old password I mentioned at the
start of this article is a particularly egregious example.
A password that
isn’t changed frequently gives a bad guy all the time he needs to steal it. And
once he has the password, he gains persistent access into all the systems sharing
that password, until it’s finally updated. If it ever is.
What this really means
is that given the will to steal an administrator password and break into
systems throughout a network, all someone really needs is time. But by continuously
changing privileged account passwords, you’re denying your adversaries the tools they need to succeed.