JPtheGeek
Contact
All posts
Cybersecurity September 15, 2024 · 6 min read

The #1 Security Finding We See in 90% of New Indiana Clients

JP
Jesse Pearson
CEO & Founder, JPtheGeek

We've done security audits for dozens of Central Indiana businesses in the last few years. One finding shows up in roughly 90% of them. It's not zero-days. It's not advanced persistent threats. It's something embarrassingly simple — and it's almost certainly true of your business right now.

The finding: passwords that never expire

The most common security finding we surface in new-client assessments — by a wide margin — is user accounts with passwords set to never expire. Sometimes it's one or two service accounts. More often it's dozens of regular user accounts, and occasionally domain administrator accounts. We have seen this on every kind of business: small medical practices, large manufacturers, schools, professional services firms, religious non-profits. It is universal.

Why this is dangerous

The reasoning behind "passwords that never expire" is usually well-intentioned. Someone got tired of users complaining about expired passwords. They flipped the setting. The problem solved itself. The downstream consequences became someone else's problem.

Here's why it matters: passwords leak. Not because your business was breached — because some other business got breached, and your employees reused their work password somewhere on a service that did get breached. Stolen credentials end up on dark web markets within hours. If your password never changes, that leaked credential is a permanent backdoor into your environment. Forever.

Modern security operates on the assumption that passwords WILL leak. Mandatory rotation isn't punishment — it's an automatic backdoor closer.

What "good" looks like

The current consensus from NIST, CISA, and modern cybersecurity practice is roughly this:

  • Passwords rotate at a defined interval — typically 90 to 365 days for standard users, depending on role and access level.
  • Password complexity requirements are reasonable, not draconian. Length matters more than mixed-case symbols.
  • Multi-factor authentication is mandatory on every account, especially admin accounts. MFA reduces the impact of a stolen password by 99%+.
  • Service accounts (the ones running specific applications, not real humans) get separate treatment — long, complex, randomly-generated passwords stored in a vault, rotated on a schedule, with their own monitoring.
  • Privileged accounts (Domain Admins, Global Admins) get even tighter controls — just-in-time access, separate identities for admin work, hardware-backed authentication.

Why this finding is so common

Three reasons we've seen across hundreds of audits:

  1. It's not in any compliance checklist that catches business attention. HIPAA, PCI, and most contractual security requirements demand "appropriate password policies" without naming the specific control.
  2. The MSP before us turned it off to reduce help desk volume. Fewer tickets, happier users, lower cost — and a security debt that grows quietly over years.
  3. Someone with access flipped the bit and forgot. "Just for now." Five years pass.

How to check this on your own environment

If you're on Microsoft Active Directory or Entra ID, you can check this yourself. Pull a report of users where "Password never expires" is enabled. Anything more than a handful of named, documented service accounts is a problem. If you have to ask "why are these accounts on this list," you have findings.

If you're not sure how to check, that itself is the finding.

The fix isn't complicated

Closing this gap is a one-week project for most Indiana SMBs:

  • Audit every account with "password never expires" — separate humans from service accounts.
  • Move service accounts into a managed vault with automatic rotation.
  • Set a reasonable expiration policy on human accounts (we typically use 180 days).
  • Roll out MFA at the same time. It softens the user impact of password rotation and dramatically improves your security posture.

This isn't a project that requires a six-figure budget or a major migration. It's discipline. And it's almost certainly the highest-ROI security work your business can do this year.

Want us to check yours?

Our free IT & security audit includes this check, plus about 30 others we run on every new environment. We'll give you a numbered list of findings ranked by severity. No obligation, no high-pressure pitch — just an honest read on where you actually stand.

#security#audit#passwords#active-directory
JP
Written by Jesse Pearson
CEO & Founder, JPtheGeek · Greenwood, IN since 2008 · Inc. 5000 honoree

JPtheGeek provides managed IT, cybersecurity, and AI services to Indiana businesses across Greenwood, Indianapolis, and Central Indiana. Get a free IT & security audit →

Related posts

Cybersecurity

The Real Cost of a Data Breach for an Indiana SMB

7 min read
Cybersecurity

What 'Threat Detected' Actually Means (and Why You Shouldn't Panic)

5 min read
AI

Why Your IT Provider Should Have Their Own AI

7 min read
Previous
Managed IT vs Co-Managed IT: Which Indiana Business Needs Which?
Next
HIPAA Compliance for Indiana Medical Practices: A Plain-English Checklist
AI + humans, ready to help

Let's see if we're a fit.

A real human will email you back within one business hour. Worst case: you get a free audit and find out where you stand.

Get a Free IT & Security Audit Or call (317) 936-3300
No commitment No high-pressure pitch Real human, not a bot Response < 1hr