Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
WorldMaker 4 hours ago

Depending on your organization, it can sometimes help to point the right compliance person to the latest NIST guidelines, specifically:

https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver

> Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.

One of the nice cases where it can be helpful that standards themselves, which you can point to, have said to stop doing that.

kstrauser 37 minutes ago | parent | next [-]

I got to work one morning recently, got a message that our MDM required me to change my password, logged into the MDM, turned off that obsolete option, and announced to the company via Slack that we're not doing that anymore.

Every now and again I ponder if I'm happy where I'm at careerwise, and then something like this reminds me that I have the authority to make these decisions, and I decide that yeah, I like being me.

tracker1 3 hours ago | parent | prev | next [-]

Yeah, I've gotten headway in this in other places I've worked... heavy advocate for the only requirement being a minimum length with the recommendation to use a "phrase" as well as not requiring rotation in terms of less than a year at a time if at all... though not strictly matching NIST, some ops find a never require change hard to swallow.

I wrote an authentication platform used by a few govt agencies. The irony is all my defaults match NIST guidelines (including haveibeenpwned lookup on password set/change), but needed to support the typical overrides for other hard requirements that tend to come from such agencies in practice.

thaumasiotes 3 hours ago | parent [-]

>> Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.

> though not strictly matching NIST, some ops find a never require change hard to swallow.

I think they're right about that. A scheduled change just represents the accumulating probability that there's been a compromise somewhere that didn't come to your attention.

It seems like it would make more sense for a scheduled change to affect all passwords at once, though.

GTP 3 hours ago | parent | next [-]

There has to be some balance though, as requiring change too frequently encourages the use of insecure but easy to remember passwords, or password that are very similar to the previous one thus failing the purpose of the change (e.g. a password containing the year, and the employee only changes the year every time). Best would be pushing for the use of a password manager or auth tokens like Yubikeys.

tracker1 2 hours ago | parent | prev [-]

On changes, as I've mentioned in other threads, I don't think once a year is too bad... also, I'm an advocate of SSO as much as possible with a strong MFA (ideally push selection) option for work orgs. It reduces friction and can actually improve overall security if appropriately managed... that said, building internal apps that have appropriate application access is often harder still in these environments.

hypeatei an hour ago | parent | prev | next [-]

> point the right compliance person to the latest NIST guidelines

This only works if that's the only standard they're adhering to. At my employer, the password changes are mandated by their "cyber insurance" policy which hasn't caught up with the times.

thewebguyd 4 hours ago | parent | prev [-]

Unfortunately, not all guidelines have caught up. PCI-DSS still requires password changes every 90 days for anything in scope (the cardholder data environment, anything that might even remotely touch payment card data).

fragmede 3 hours ago | parent [-]

Not with MFA. Not for a while now. And regardless, the word(s) you are looking for is "compensating control".