How is this still not done? This should be extremely easy implementation, and would make our databases more secure.

The current "industry standards" that you claim to have for password security are outdated. In your policy the Microsoft password requirements are even more robust than the options that you give users for client data in the CRM. This MUST be updated in order to keep the integrity of our client's information safe. Being a leader in this industry means staying on top of keeping clients information safe. This is a HUGE issue and needs to be resolved more timely than "may be planned".

Adding to this - the NIST guidelines specifically discourage periodic password rotations entirely, advising that forced password resets should only be performed when there is evidence of an account compromise.

From section 5.1.1.2 of NIST 800-63b:

"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

https://pages.nist.gov/800-63-3/sp800-63b.html

At least allow up to opt out of periodic password rotations. As others, including NIST, have said, it just makes passwords weaker.

Microsoft has determined that requiring passwords to expire is a waste of time. See below. Please allow users to choose password expiration periods from 90 days to never.

https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/

Since the CRM has quite literally become the "hub" of all client information, you would think that you need it to become more and more secure. The Redtail limit of 16 characters is somewhat "short" to say the least. I would suggest a maximum of at least 24 characters if not 40 characters with all various letters, numbers, and symbols allowed.

With the use of password managers growing, using longer passwords that are randomly generated will be good for all involved.

Agreed. There should at least be an administrative function that allows the administrator to set the number of days between new passwords. Including turning off the function altogether.

Absolutely this.

The more frequently we must change passwords, the weaker the passwords must become. Our firm has a password policy that gives us very strong passwords on a certain interval - but never this frequently.

Additionally, for having such a strict policy of changing passwords, it is fairly restrictive what we can do. Why no passwords over 16 characters if we are going to change them every 90 days? It is almost as if RedTail WANTS its customers to have weak security!

As financial advisors, we already have a plethora of usernames and passwords that we have to remember for our daily work. For our staff and advisors to have to update and remember their new password every 90 days is quite frustrating, especially in something that we use daily. I understand it is for "security reasons," but I've not encountered or heard of another CRM that requires you to update your password every 90 days, there are other ways of providing security and it would be great if this was an optional feature that we could disable.