Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
mystraline 2 days ago

Most federal orgs still have 60 day password rotation requirements in place, even though NIST gave guidance almost 10 years ago not to do that.

What does that mean? Passwords are stored in textiles accessible by admin only, and shared. And everyone is worse for it.

Joel_Mckay 2 days ago | parent [-]

Mostly, it forces dead accounts off the system, as lay off notices are sent the day after.

It is mostly about ensuring some busy admin doesn't have to inventory every user permission.

Rotating domain logins form a similar function of booting inactive users.

2FA actually may make a system weaker, as people can MITM for $23 using a bogus telecom service and password reset. =3

dragonwriter 2 days ago | parent | next [-]

> It is mostly about ensuring some busy admin doesn't have to inventory every user permission.

So, its a bad authn practice that is maintained to mitigate the impacts of bad authz practices (you make authn less secure when people are intended to be authorized, in the hopes than when they aren't and you haven't cleaned up their permissions, the password expiration will cause authn failures so the fact that their authorization hasn't been revoked won't matter), instead of adopting good authn and authz practices?

Joel_Mckay 2 days ago | parent [-]

Each departments resources are usually preemptively cutoff globally from the redundant employees at the same time for safety reasons. A lot faster than chicken pecking each users group membership, and batched password invalidation.

If the former user had IT administrative and VPN access, it would otherwise take time to figure out who should still be there. It is faster to rotate the whole departments access to auto kick non-participants off the network. Then mop up the specific user logins, and migrate any orphaned user assets into the department share.

Keep in mind >90% of security breaches come from within firms. =3

MengerSponge 2 days ago | parent | prev [-]

SMS 2FA is harmful. Fortunately, other 2FA modalities are susceptible to that MITM attack