| ▲ | tracker1 4 hours ago |
| Given the time it's been since deprecated, I'm assuming most older versions of Windows since 2000 and Samba have long since supported more secure options... though from some comments even the more secure options are relatively weak by today's standards as well. Aside: still hate working in orgs where you have a password reset multiple times a year... I tend to use some relatively long passphrases, if not the strongest possible... (ex: "ThisHasMyNewPassphrase%#23") I just need to be able to remember it through the first weekend each time I change without forgetting the phrase I used. |
|
| ▲ | WorldMaker 4 hours ago | parent | next [-] |
| Depending on your organization, it can sometimes help to point the right compliance person to the latest NIST guidelines, specifically: https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver > Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised. One of the nice cases where it can be helpful that standards themselves, which you can point to, have said to stop doing that. |
| |
| ▲ | tracker1 3 hours ago | parent | next [-] | | Yeah, I've gotten headway in this in other places I've worked... heavy advocate for the only requirement being a minimum length with the recommendation to use a "phrase" as well as not requiring rotation in terms of less than a year at a time if at all... though not strictly matching NIST, some ops find a never require change hard to swallow. I wrote an authentication platform used by a few govt agencies. The irony is all my defaults match NIST guidelines (including haveibeenpwned lookup on password set/change), but needed to support the typical overrides for other hard requirements that tend to come from such agencies in practice. | | |
| ▲ | thaumasiotes 3 hours ago | parent [-] | | >> Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised. > though not strictly matching NIST, some ops find a never require change hard to swallow. I think they're right about that. A scheduled change just represents the accumulating probability that there's been a compromise somewhere that didn't come to your attention. It seems like it would make more sense for a scheduled change to affect all passwords at once, though. | | |
| ▲ | GTP 3 hours ago | parent | next [-] | | There has to be some balance though, as requiring change too frequently encourages the use of insecure but easy to remember passwords, or password that are very similar to the previous one thus failing the purpose of the change (e.g. a password containing the year, and the employee only changes the year every time). Best would be pushing for the use of a password manager or auth tokens like Yubikeys. | |
| ▲ | tracker1 3 hours ago | parent | prev [-] | | On changes, as I've mentioned in other threads, I don't think once a year is too bad... also, I'm an advocate of SSO as much as possible with a strong MFA (ideally push selection) option for work orgs. It reduces friction and can actually improve overall security if appropriately managed... that said, building internal apps that have appropriate application access is often harder still in these environments. |
|
| |
| ▲ | kstrauser 44 minutes ago | parent | prev | next [-] | | I got to work one morning recently, got a message that our MDM required me to change my password, logged into the MDM, turned off that obsolete option, and announced to the company via Slack that we're not doing that anymore. Every now and again I ponder if I'm happy where I'm at careerwise, and then something like this reminds me that I have the authority to make these decisions, and I decide that yeah, I like being me. | |
| ▲ | hypeatei an hour ago | parent | prev | next [-] | | > point the right compliance person to the latest NIST guidelines This only works if that's the only standard they're adhering to. At my employer, the password changes are mandated by their "cyber insurance" policy which hasn't caught up with the times. | |
| ▲ | thewebguyd 4 hours ago | parent | prev [-] | | Unfortunately, not all guidelines have caught up. PCI-DSS still requires password changes every 90 days for anything in scope (the cardholder data environment, anything that might even remotely touch payment card data). | | |
| ▲ | fragmede 3 hours ago | parent [-] | | Not with MFA. Not for a while now. And regardless, the word(s) you are looking for is "compensating control". |
|
|
|
| ▲ | SoftTalker 3 hours ago | parent | prev | next [-] |
| Fine until you run into the filter that prevents the new password from having any of the same substrings longer than some limit compared to the old one. |
| |
| ▲ | jandrese 2 hours ago | parent [-] | | Which means that they're storing your password in plaintext somewhere. | | |
| ▲ | mr_mitm 2 hours ago | parent [-] | | No, because you have to submit the old one along with the new one. |
|
|
|
| ▲ | jandrese 2 hours ago | parent | prev | next [-] |
| IMHO there are two requirements for a good password: 1. It must be hard for a computer to guess. 2. It must be easy for a human to remember. If you can not set a secure password and then remember it a week later it is a bad password. This is why I really hate overly strict password requirements that make it hard to remember. These cause people to write it down or do things that appease the password checker but don't make it harder to guess. |
| |
|
| ▲ | christkv 4 hours ago | parent | prev [-] |
| I mean this is what I use 1password for. |
| |
| ▲ | SahAssar 4 hours ago | parent | next [-] | | If it's the IT managed computer login then you couldn't use a password manager for it, right? I think this is more the realm of using windows hello or apple touchid (AFAIK no good, simple, standard built-in way exists for linux distros) to get the first OS login and then you can use your password manager when you are logged into the OS. | | | |
| ▲ | tracker1 3 hours ago | parent | prev [-] | | I tend to never use my password manager for my primary OS logins for desktops/laptops I physically access. Fortunately, I rarely have to keep more than 5 or so memorized at a time (including my password manager, Bitwarden/Vaultwarden). |
|
