Become a fan of Slashdot on Facebook
Should Companies Abandon Their Password Expiration Policies? (techcrunch.com) 77
To quote Microsoft: “Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives… If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem… If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration…?”
Perfect security doesn’t exist. World-class security is hard. But decent security is generally quite accessible, if you faithfully follow some basic rules. In order to do so, it’s best to keep those rules to a minimum, and get rid of the ones that don’t make sense. Password expiration is one of those. Goodbye to it, and good riddance.
Instead the column recommends password managing software to avoid password re-use across sites, as well as two-factor authentication. “And please, if you work with code or data repositories, stop checking your passwords and API keys into your repos.”
But if your company still has a password expiration policy, he suggests mailing Microsoft’s blog post to your sys-admin. “They will ignore you at first, of course, because that’s what enterprise administrators do, and because information security (like transportation security) is too often an irrational one-way ratchet because our culture of fear incentivizes security theater rather than actual security — but they may grudgingly begin to accept that the world has moved on.”
- by esperto ( 3521901 ) on Sunday June 02, 2019 @02:39PM (#58696110)It doesn’t help, only makes people use patterns that make it easy to guess and annoys the hell out of everyone.
Next question.
It isn’t IT that I must convince. (Score:2, Interesting)
by Anonymous CowardOur clients, and especially our potential clients, audit us. They don’t just audit our products, they audit our business practices. They must, because they know quite well that if one of their software vendors has weak security and gets hacked, the hacker can use that to harm them, and they are the ones left holding the bag.
They ask us questions about things like our password management policies, and insist that we use strong practices. Until THEY accept that the mandatory password rotation is a stupid p
- The worst policy I’ve seen is a company that manages bus payment cards that require the user to rotate passwords every 90 days, cannot use any of the previous unknown number of passwords but has to have at least 1 capital letter and 1 number and the password has to be 8 characters long, cannot be any shorter or any longer. Can you imagine how easy is to break this with hashcat if someone gets hold of the password database? I find it just unbelievable that they, even after updating their management system, k
Anyone doing any business with the federal government has to comply with NIST standards. As of mid 2017, the federal mandate is that you do not expire passwords. You force a password change ONLY of you have reason to believe thr password may have been compromised.
https://pages.nist.gov/800-63-… [nist.gov]
Also, it is NOT recommended to tell the bad guys that passwords start with a capital letter and end in with a number followed by one of three punctuation characters. That’s what happens when you have a policy of “
Just get rid of the password history preventing you from using a large number of old password.
The main issue with many companies is that they don’t have a good method of detecting when an employment has ended.
- by EzInKy ( 115248 )
It’s not that hard. SuperSecretWord01 in Jan, SuperSecretWord02 in Feb, SuperSecretWord03 in Mar, and so on works great for me.
This one is the most annoying for me, if they can compare anything other than salted hashes it suggests your old passphrases are reversible i.e. held as plaintext somewhere for comparison.
- by Bert64 ( 520050 )
They can compare to the previous password as you typically need to enter your previous password when setting a new one… If they can compare any further back then its a problem.
For a password consisting of 16 ASCII printable characters, it takes 16 * (95 * 2 + 1) = 3056 runs of the password hashing function to test your new password with one character added, replaced, or deleted against a previous password hash. If the system saves your previous 24 password hashes, this totals 73,344 tests. Depending on the exact number of PBKDF2 iterations that the authentication system uses, this could prove practical, especially if it tries brute-forcing the last character of the last 3 passwor
- That’s not what evidence shows, and requiring change of passwords every so often can actually weaken the passwords company wide, as a lot of (most) people will just increment the first one they’ve received and dictionary attacks can became easy after a leak of single password.
Periodically changing the passwords don’t correct this issue, as it would take just a few more tries to get in.
To me, the only accounts that could be advisable to change passwords regularly are the ones than can do some damage, lik
I’m on version ‘b’ of my current work password. Nobody will ever guess what my new one will be when I log back in on Monday, since we just ticked into the 3rd quarter and that means I need to change it.
Meanwhile I’ve had the same bank password for a decade.
What strikes me is that there doesn’t really seem to be a middle ground. Either you have to change it every 30/60/90 days, or you don’t ever have to change it. I probably should have changed my bank password sometime in the last decade. But it’s a decent
- by AndyKron ( 937105 ) on Sunday June 02, 2019 @02:40PM (#58696114)You must have at least eight characters with a mix of upper case, lower case, numbers and symbols. You must also not use your last previous five passwords or you will be terminated.
OK so I’m an end user and probably missing some important technical detail, but… it seems to me that instead of users having long hard to remember passwords that they have to change about the same time they actually start remembering them, can’t IT to a better job of tracking failed password attempts? What I’m thinking is if repeated failed attempts occur with a certain pattern, one or two failed attempts followed immediately by a successful one is just the user fat fingering for example, then IT gets in
The problem is the management not IT.
Management will not approve of neither the resources or expenditure to allow IT to do it’s own damn job the majority of the time. You might feel bad as a user getting shitty service from IT but remember, we enjoy being able to help our users we just get into trouble if we help you too much. Yes, we like to pick on users from time to time but the decent ones among us know that without you needing help many of our jobs would be non-existent.
90% of the problem in IT begin
There are already throttles and lockouts employed by many IT organizations when attack behavior is detected.
Problem is, this becomes a denial of service vector. An attacker can really screw up an organization by triggering account lockouts.
The answer has to be more machine-generated and curated credentials. When combined with current best practices, you could allow an attacker unlimited guesses and it won’t matter.
- If you are a real end user, you are in luck that most of actual users of
As an old “IT” manager, I believe that IT department must stay as away as possible from users’ daily mistakes, like mistyped passwords.What most IT departments and their ISO 2700x, ITIL or other fancily named standards consultants fail to understand is that passwords do not protect against the most important vector att
What does plugging a USB device into an MS box do that it can’t do on another system? Does Linux have super-secure keyboard drivers that detect bad actors and prevent them from logging in?
That used to work fairly well. Now, the attempts are well spread out. The bad guy gives his password guesser tens of thousands of accounts to work on. The guesser works very slowly, sometimes just a guess or two a day per server. Due to the large number of accounts to guess, they still get a steady stream of successes.
- But it doesn’t matter a whole lot whether they should or not, because SOX auditors will require you to expire passwords every three months.
SOX does not actually require that. But like all other things moronic in the world the auditors made up that rule because no matter how much of a professional you are… you are still very susceptible to the Dunning-Kruger effect and the 5 universal laws of stupidity.
People instinctively know this… it is also one of the reasons so many people have a hard time dealing with or accepting things from the Science community. There are just as many with these problems on inside as there are on the outside.
- by SirAstral ( 1349985 ) on Sunday June 02, 2019 @02:49PM (#58696154)
Password change policies are mostly security theater and have been for a long time. What is even worse is that even when you can prove they are bad they still can’t get away from them because people resist change like this.
Most people are just more comfortable with the evil they know.
What is even worse is that even when you can prove they are bad they still can’t get away from them because people resist change like this.
Most definitely. Reminds me how, for a long while, doctors resisted washing their hands between patients. Change is hard for some people. (Curiously, more recently, my doctor used hand sanitizer twice during my visit and he only touched his stethoscope, when he didn’t have his hands on his lap.)
I’ve seen a few sites that prevent you pasting your password in which is ludicrous. I’ve no idea what the security thinking is behind this but it’s really easy to remove the event listener that prevents it via dev tools on Chrome (or any other browser).
- by Bert64 ( 520050 )
I imagine there will be a browser plugin for this too, disabling cut+paste is extremely annoying.
- by gnasher719 ( 869701 ) on Sunday June 02, 2019 @03:01PM (#58696204)I worked at one place for quite a few years. When I left, my password was Totally_secure_password_$39. Because an uppercase letter and a special character were required. And there were 38 password resets.
I suspect a lot of people respond that way to obnoxious password policies.
The whole capital / number / symbol thing is terrible. Combined with requirements for regular updates, it means passwords are near impossible to remember, so people either write them down, or use patterns.
Sometimes I suspect the rules are there to let companies blame the employees where there is a breach, not to prevent one.
As that one XKCD rightly said, we’ve spent two decades training people to use passwords that are hard to remember but easy to crack.
- by Bert64 ( 520050 )
The rules are there because at some point someone published documentation saying it was a good idea, and it’s spread from there with noone ever questioning it.
It’s not about security. It’s about conditioning. One of the root reasons why public schools were setup like little education factories is because those were the types of jobs most were expected to fulfill when they graduated, plus and this is a BIG plus parents got free baby sitting for most of their work days. There is a reason why people need 2 decades of education to be considered useful by business these days. 1 decade of school is all anyone should require to be anything, Doctor, Lawyer, or Scien
Will be happy to see password expiration policies expire, but I would also like to see companies not use basic authentication for internal sites. A better solution is some form of single-sign-on. I mention this because any internal website operator can grab your auth password. Better to see a single secure server being the only place of risk.
I don’t like forgetting my passwords. The more software you use, the more accounts you have and the more passwords you’re required to member. In practice, forgetting my password and getting locked out of something has been a bigger threat to my productivity than having a weak or reused password. I try to make passwords as easy as possible at reset time. I glance around my desk or office and see what…might…be… Ah, my printer is a HP Envy 4500. New password: Envy4500.
I hate resetting shit. I und
Because at that time it was not only clear to anybody with a clue that they are broken, there was also ample research on the topic.
Please don’t make me go through extra authentication just because I upgraded my browser from version X.01 to X.012
- If you feel you need so much protection for access to an account or site that you want expiring passwords, then do it the right way. Require 2FA with a fob (or Authy account on their phone) which generates a new code every 30 seconds. That way the person can use a password which is easy for them to remember, and you get to rest easy knowing the “password” is expiring every 30 seconds and being automatically replaced by a new one.
I’ll add another aggravating situation I encountered. A site’s password d
- by Todd Knarr ( 15451 ) on Sunday June 02, 2019 @04:58PM (#58696668) Homepage
It’s obsolete because it protects against an obsolete class of attacks. It originated back when cracking encrypted passwords was feasible but took time, the idea being to make it so by the time a thief had cracked your password it’d expired and been changed. Things are different now. The encryption algorithms are either infeasible to crack or can be cracked in minutes-to-hours, not much middle ground, and almost all attacks aim to bypass having to crack an encrypted password by either using a vulnerability that doesn’t require knowing the password or tricking the user into giving the attacker the password. Password expiration doesn’t protect against any of those attacks.
And “Well, it doesn’t hurt either.” isn’t a defense, because password expiration does hurt security. The ideal password today can be described as “N random UTF-8 characters” where N is some number in the mid-teens or higher. When the user can’t use a password manager for copy-and-paste of the password, as with the Windows logon process, passwords approaching that while still being minimally usable by humans are all but impossible to remember without long-term practice at typing them to commit them to muscle memory. Password expiration guarantees I can’t commit them to muscle memory which means I have to drop back to much weaker and less-secure but easier to remember and type passwords, making it more likely those passwords fall into the “crackable in minutes-to-hours” category.
Drop password expiration and replace it with support for 2FA. It’ll make it easier for your users and improve your actual security in the process.
- Password expiration can limit the amount of time that an infrequently used account can remain compromised.
- And recent research? – https://dl.acm.org/citation.cf… [acm.org]
- You’re ignoring the fact that the change request can be sent to a different email address, and that accounts can be disabled if changes are not made. Works for us, but inconvenient as hell.
Microsoft have been recommending some very sensible and well thought-out guidelines around passwords for quite some time now.
Microsoft Research published a white paper back in May 2016 that recommended, among other things, to not use password expiration policies any more as the threat model has evolved.
I’ve presented this white paper to a number of organisational representatives and it’s made exactly zero difference to them:
https://www.microsoft.com/en-u… [microsoft.com]I do use these recommendations for my clients howev
- as I am about a user using the same password in the enterprise that they use everywhere else on the web. I can vouch for the security of my enterprise’s password database; I can’t vouch for the security of
Instead the column recommends password managing software to avoid password re-use across sites, as well as two-factor authentication. “And please, if you work with code or data repositories, stop checking your passwords and API keys into your repos.”
So that way if you get my password manager’s password, you have everything. Worst case in the “non manager” approach is I use the same password everywhere – and you learn that (it’s about the same thing). if I use two or 3 variations, then I’d be considerably better off – safer – than using a password manager.
…Let’s us not forget, changing your password every so often is still a GOOD IDEA.
Especially passwords that access critical systems. These definitely should be changed periodically.
It’s just smart security practices.
But end-users forced into doing it on a strict schedule? Not even a security-paranoid goon like me likes this sort of thing. I’ll change my password when I’m good and ready.
Besides, forced password change definitely results in poor password selection. So yes, get rid of the forced, but don’
And the employee who actually, in good faith, tries to come up with unique passwords on a regular basis, get caught with the stupid lock out the user on three bad password attempts. It takes two or three tries to be sure it’s not a typo issue only then do you realize you’re using the wrong one out of the 37 or however many passwords you have to keep.
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Related Links Top of the: day, week, month.
- 974 commentsFacebook Bans Alex Jones, Yiannopoulos, Other Far-Right Figures
- 729 commentsFacebook Employees Outraged Over Exec’s Appearance at Kavanaugh Hearing
- 719 commentsAnti-Tesla Pickup Truck Drivers Take Over a Supercharger Station — Again
- 636 commentsDrivers Think Bikers Are Less Than Human, Survey Says
- 597 commentsWith DaaS Windows Coming, Say Goodbye To Your PC As You Know It
Slashdot Top Deals
- Get more comments
- 77 of 77 loaded
If you have a procedure with 10 parameters, you probably missed some.
