Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tracker1 3 hours ago

Yeah, I've gotten headway in this in other places I've worked... heavy advocate for the only requirement being a minimum length with the recommendation to use a "phrase" as well as not requiring rotation in terms of less than a year at a time if at all... though not strictly matching NIST, some ops find a never require change hard to swallow.

I wrote an authentication platform used by a few govt agencies. The irony is all my defaults match NIST guidelines (including haveibeenpwned lookup on password set/change), but needed to support the typical overrides for other hard requirements that tend to come from such agencies in practice.

thaumasiotes 3 hours ago | parent [-]

>> Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.

> though not strictly matching NIST, some ops find a never require change hard to swallow.

I think they're right about that. A scheduled change just represents the accumulating probability that there's been a compromise somewhere that didn't come to your attention.

It seems like it would make more sense for a scheduled change to affect all passwords at once, though.

GTP 3 hours ago | parent | next [-]

There has to be some balance though, as requiring change too frequently encourages the use of insecure but easy to remember passwords, or password that are very similar to the previous one thus failing the purpose of the change (e.g. a password containing the year, and the employee only changes the year every time). Best would be pushing for the use of a password manager or auth tokens like Yubikeys.

tracker1 3 hours ago | parent | prev [-]

On changes, as I've mentioned in other threads, I don't think once a year is too bad... also, I'm an advocate of SSO as much as possible with a strong MFA (ideally push selection) option for work orgs. It reduces friction and can actually improve overall security if appropriately managed... that said, building internal apps that have appropriate application access is often harder still in these environments.