How long should accounts be deactivated before being deleted?

Question

How long should accounts be deactivated before being deleted? Should accounts be deactivated?

For example, our organization uses 1Password Business, which allows for accounts to be deactivated. How long should we keep deactivated accounts around? Accounts left deactivated for too long tend to clutter things.

If your organization is under compliance measures like PCI, SOC 2, etc., you may need to keep accounts deactivated for a given time (how long, not sure).

As a general rule, how long should accounts be deactivated before being deleted?

Answer 1

From a compliance perspective the answer is usually: establish a policy that complies to your regulatory requirements and business needs and then ensure that your organisation actually follows that policy.

As long as your policy is not complete nonsense and provides good arguments the actual period can vary from "delete accounts immediately when they get deactivated" to "expired accounts are locked, clearly labeled and kept indefinitely" ...

Some systems have pricing tiers based on the number of registered accounts, rather than the number of active accounts and that might be a good reason to delete accounts as quickly as you can.

For things like file shares that store a file ownership in a SID or UID number it might be very useful to keep the deactivated account to maintain the mapping to more human readable username/account.