While my company has rules for how frequently passwords are changed on such endpoints as corporate-issued laptops, there is a complete lack of rules regarding how often passwords are changed on third-party applications that users access for business purposes (e.g., Facebook, Twitter, etc.). Should enterprises issue guidance to users regarding password change frequency for such applications, and if so, what should that guidance be? In what instances should two-factor authentication be employed on third-party applications that support it?