> I also disagree there. Just change it exactly once every two weeks or so. Just don't do it more than once within 10 hours. See: https://adsecurity.org/?p=4597

That link says wait a week before the second change. There is a good reason for that, because kerberos is so assymetric and just because there are badly written apps out there, you'll cause failed logins for them if you do it too fast. Normally I consider this in the context of a domain compromise, so you have to consider making the rotation with a lower delay, but that always raises the controversy of causing outages. My original comment is exactly what you said, the rotation should be an automatic and regular event. It should be able to change it, track how much the old password is being used, and after the old password hasn't been used in <configured interval> it can do another rotation. It can prevent outages by tracking usage that way. I see no good reason why they made the effort to have an old/new password distinction but didn't give admins the option to auto-rotate. Although, I wonder if you can do this now with powershell (if the old pw usage is tracked anywhere).

> That's not quite right. If the password is sufficiently strong, you won't crack it even when RC4 is used. The password space is infinite.

You're totally right. I was thinking in terms of password people usually configure which are 12-18 characters long. But computer accounts and well configured service accounts, I've seen them use a 64 character minimum which should be very hard to crack with RC4.