Hello @Andrea Vironda ,
Thank you for posting here.
Here are the answers for your references.
- we're only few people, is it necessary to change them? what's the best practice
A1: If these passwords meet best practice or are strong passwords (which have at least eight characters and include a combination of letters, numbers, and symbols), we can keep them.
Here is best practice for password policy.
Enforce password history: Set Enforce password history to 24.
Maximum password age: Set Maximum password age to a value between 30 and 90 days, depending on your environment.
Minimum password age: Windows security baselines recommend setting Minimum password age to one day.
Minimum password length: Set Minimum password length to at least a value of 8.
Password must meet complexity requirements: Set Passwords must meet complexity requirements to Enabled.
Store passwords using reversible encryption: Set the value for Store password using reversible encryption to Disabled.
- How long does a password last? it seems now it's 1 months, but it's too few.
A2: See A1, or I suggest we can set it 3 monthes-6 monthes (maybe one year depending on your environment).
Reference
Password Policy
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.