Re: password manager, change passwords all the time.
"I think our auditors (in NZ) are twats."
It sounds like they are doing their job, recommending basic level of password changing and using a password manager so users don't have to choose easily memorable passwords. 2FA on the password manager would be a good idea, as it's a single point of weakness.
Security is always inconvenient. Does every staff member have a key/pass to let them into the appropriate areas, or do you leave all the doors unlocked?
The more sensitive your job, the more you have to accept heightened security. Donkeys years ago I worked for the Corrections (prisons etc) IT support On a normal service desk, a user will call for a password reset and there will be no checks that this person is who they say they are. Fast, convenient but hella insecure. For corrections we'd call them back, on their listed number. Slower but more secure.
Security is also seen as a waste of time right up until the lack of it bites someone in the ass.
Auditors are there to point out things that a company should be doing but aren't. Your company is taking risks with a lack of password changing, so it's up to you to decide if it's worth the risk.
Biting the hand that feeds IT
