| ▲ | dijit 2 days ago |
| thats part of why NIST updated their password rotation recommendations from 90 days to indefinite: people pay lip service to security if it is too inconvenient. you have to try to meet people where they are. Preaching is not a strong motivator for long. |
|
| ▲ | carefree-bob 2 days ago | parent | next [-] |
| It's not just about "convenience", it is hard for the human mind to remember a truly random password. You can try all the mnemonic tricks you want but at the end of the day it requires a lot of time and repetition before entering the password is effortless. So what people do is create a stream of derivable passwords. For example, I can think of a phrase "I love beach balls bouncing on the ocean!" and then make a password "ilBBbotocean!" and when it comes time to change that password, I'll just add a number "ilBBbotocean!1". Studies have shown this is what people do. But it is easy for attackers to also derive these passwords once one password in the chain has been compromised. The effect of that is that by requiring frequent rotation, the organization is effectively training their users to have a single permanent password and to never change it, even after a compromise. That's extremely harmful. At least with permanent passwords that are force rotated after they show up in database or there has been an incident, you have a much higher percentage of compliance with making new passwords, and the organization is safer because everyone isn't using passwords derived from the previous password. |
| |
| ▲ | mysteria 2 days ago | parent [-] | | I remember a case where a company decided to assign employees random 16 character passwords with symbols and rotated them every 90 days or so. They were unchangeable and the idea was that everyone would be forced to use a secure password that changed regularly. You can probably guess what happened, and that was that no one remembered their passwords and people wrote it down on their pads or sticky notes instead. | | |
| ▲ | bluGill 2 days ago | parent | next [-] | | Writing down a password is a great option. However you need to keep that paper in a secure location. Put it in your wallet and treat it like a $100 bill - don't paste it to a monitor or under the keyboard. A password manager is better for most things, but you need to unlock the password manager somehow. | |
| ▲ | GoblinSlayer 2 days ago | parent | prev | next [-] | | Also "app passwords". Not just change, you can't even append text to it. | | | |
| ▲ | 2 days ago | parent | prev [-] | | [deleted] |
|
|
|
| ▲ | mystraline 2 days ago | parent | prev | next [-] |
| Most federal orgs still have 60 day password rotation requirements in place, even though NIST gave guidance almost 10 years ago not to do that. What does that mean? Passwords are stored in textiles accessible by admin only, and shared. And everyone is worse for it. |
| |
| ▲ | Joel_Mckay 2 days ago | parent [-] | | Mostly, it forces dead accounts off the system, as lay off notices are sent the day after. It is mostly about ensuring some busy admin doesn't have to inventory every user permission. Rotating domain logins form a similar function of booting inactive users. 2FA actually may make a system weaker, as people can MITM for $23 using a bogus telecom service and password reset. =3 | | |
| ▲ | dragonwriter 2 days ago | parent | next [-] | | > It is mostly about ensuring some busy admin doesn't have to inventory every user permission. So, its a bad authn practice that is maintained to mitigate the impacts of bad authz practices (you make authn less secure when people are intended to be authorized, in the hopes than when they aren't and you haven't cleaned up their permissions, the password expiration will cause authn failures so the fact that their authorization hasn't been revoked won't matter), instead of adopting good authn and authz practices? | | |
| ▲ | Joel_Mckay 2 days ago | parent [-] | | Each departments resources are usually preemptively cutoff globally from the redundant employees at the same time for safety reasons. A lot faster than chicken pecking each users group membership, and batched password invalidation. If the former user had IT administrative and VPN access, it would otherwise take time to figure out who should still be there. It is faster to rotate the whole departments access to auto kick non-participants off the network. Then mop up the specific user logins, and migrate any orphaned user assets into the department share. Keep in mind >90% of security breaches come from within firms. =3 |
| |
| ▲ | MengerSponge 2 days ago | parent | prev [-] | | SMS 2FA is harmful. Fortunately, other 2FA modalities are susceptible to that MITM attack |
|
|
|
| ▲ | nvgrw 2 days ago | parent | prev [-] |
| Every time I log into the FTB (CA tax authority) website I have to set a new password. I wish there were some affirmative guidance to stop doing this because at the moment governments still think forcing password changes makes it “safer”. |
| |
| ▲ | dragonwriter 2 days ago | parent [-] | | > I wish there were some affirmative guidance to stop doing this because at the moment governments still think forcing password changes makes it “safer”. NIST SP 800-63B-4 [0] seems to be pretty clear “affirmative guidance”, though its only actually legally required in certain circumstances. [0] https://pages.nist.gov/800-63-4/sp800-63b.html @ 3.1.1.2: “[...] Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised. [...]” |
|
