xp84 4 days ago

Password rotation does nothing more than get you to use

  1234abcd@
  1234abcd@1
  1234abcd@2
  1234abcd@3
I'm becoming pretty convinced that at least in the corporate space, we'd be way better off with a required 30 character minimum password, with the only rules being against gross repetition or sequences. (no a * 30 or abcd...yz1234567890 ). Teach people to use passphrases and work on absolutely minimizing the number of times people need to type it by use of SSO, passkeys, and password managers. Have them write it on a paper and keep it in a safe for when they forget it.

This is a better use of the finite practical appetite for complying with policies than the idiotic "forcibly change it every 90 days" + "Your 8 character password needs to have at least one number, one uppercase, and one of these specific 8 characters: `! @ # $ % ^ & *`"

By the way, to quote Old Biff Tannen, "oh, you don't have a safe. GET A SAFE!"

Reply View 26 replies
  • tharkun__ 4 days ago

    Don't tell them. I don't want to have to enter 30 characters. And it does not help for the people you'd need it for anyway.

        1234567890a1234567890@1234567890
    Better?

    No, just longer to type. You can't fix stupid people by making the life of non-stupid people worse.

    All you do is for non-stupid people to stop caring and do the easiest thing possible too.

    Reply View 6 replies
    • MrDrMcCoy 4 days ago

      That's why we recommend passphrases. That 30 character requirement becomes much easier when it's 3-4 words with a separater. Faster to type, too.

      Reply View 3 replies
      • tharkun__ 4 days ago

        Which does nothing for the "stupid people". I.e. the ones that we put these rules into place for. They'll do what I posted instead (or something else easily guessable and the cycle continues - technological solution to a people problem, i.e. doesn't work)

        Reply View 2 replies
    • wycy 4 days ago

      Correct-horse-battery-staple!! is 30 characters and quick to type

      Reply View 1 reply
      • tharkun__ 4 days ago

        Which does nothing for the "stupid people". I.e. the ones that we put these rules into place for. They'll do what I posted instead (or something else easily guessable and the cycle continues - technological solution to a people problem, i.e. doesn't work)

        Reply View 0 replies
  • bigfatkitten 4 days ago

    In the corporate space you should move away from passwords entirely.

    Smart cards have had pretty solid ecosystem support for the past two decades thanks to the U.S. Government and HSPD-12, and now we’ve got technologies like webauthn that make passwordless authentication even easier.

    Reply View 3 replies
    • majkinetor 4 days ago

      And require smart card, reader, drivers etc... nah

      Reply View 2 replies
      • imtringued 4 days ago

        Every work laptop I've used had a smart card reader directly built into it and I've never used smart cards.

        Reply View 0 replies
  • osigurdson 4 days ago

    In the enterprise, the cost of inconvenience to users is effectively zero. Perhaps even negative as security theater can be a pretty effective way to convince management that something is being done.

    Reply View 0 replies
  • eru 4 days ago

    There's one weird trick to get people to have strong passwords (even if you force rotation): don't allow them to pick their own passwords. Randomly generate the passwords for them.

    Reply View 1 reply
    • pixl97 4 days ago

      Also don't allow them to copy paste the password. And especially don't allow them to use any kind of password wallet. They will really love you for this and you won't get an excessive number of calls to reset forgotten/lost passwords.

      Reply View 0 replies
  • kobieps 4 days ago

    Preach. Gmail doesn't force password rotation, and one can just imagine the type of attacks they must sustain...

    Unfortunately corporate policies evolve at glacial speeds...

    Reply View 0 replies
  • TZubiri 4 days ago

    "Your password is too similar to your previous password"

    Hmm, how would you know that.

    Reply View 4 replies
    • Uvix 4 days ago

      Don't you generally have to enter the current password to change it to a new one?

      Reply View 1 reply
      • TZubiri 4 days ago

        Interesting. I guess you could do it on the frontend by asking for old and new passwords simultaneously and sending the hashes to the backend.

        That said, it means that you can skip this check by hacking around the front end check haha

        Reply View 0 replies
    • tharkun__ 4 days ago

      By making it less secure. Like those auth schemes back in the day that sounded great in theory until you figured out that in order to implement them the provider had to store them un-hashed. No thanks.

      Reply View 0 replies
  • Retric 4 days ago

    I’m doubtful a 30 digit minimum password is a meaningful improvement over a 20 digit password here. Meanwhile actually typing in very long passwords adds up across a workday/year especially with mistakes.

    Reply View 5 replies
    • xp84 4 days ago

      I think if done right, typing that password should be more like a once a quarter exception rather than a daily occurrence.

      Granted - there are blockers to getting there. IDK why for example, macOS can't use Touch ID from a cold boot, that's stupid, at least when there haven't been too many failed attempts or anything.

      Reply View 2 replies
      • zimpenfish 4 days ago

        > macOS can't use Touch ID from a cold boot

        Isn't that because the Secure Enclave (the only place which contains the Touch ID biometric data) is locked by your password?

        "When a user's password is set up on an Apple Silicon Mac, the password is passed through a one-way hashing algorithm that produces a key used to encrypt the Secure enclave's key."[0]

        [0] https://blog.greggant.com/posts/2023/04/14/the-security-encl...

        Reply View 0 replies
      • Retric 4 days ago

        Touch ID isn’t that secure. It’s fine for personal devices, but I wouldn’t trust it alone in a government or cooperate environment.

        A ~1:50,000 error rate per finger added sounds fine, but lose a few laptops and have multiple valid fingerprints etc and the odds quickly look significantly worse. Or a janitor could end up trying to log into a significant number of machines etc.

        Reply View 0 replies
    • imtringued 4 days ago

      You're only supposed to type your password at most once a day to sign into SSO.

      Reply View 1 reply
      • Retric 4 days ago

        Then how do you suggest authenticating not just in the morning but after lunch, going to the bathroom, any physical meetings, etc?

        Reply View 0 replies