Comment by xp84

Comment by xp84 4 days ago

26 replies

View on Hacker News

Password rotation does nothing more than get you to use

  1234abcd@
  1234abcd@1
  1234abcd@2
  1234abcd@3
I'm becoming pretty convinced that at least in the corporate space, we'd be way better off with a required 30 character minimum password, with the only rules being against gross repetition or sequences. (no a * 30 or abcd...yz1234567890 ). Teach people to use passphrases and work on absolutely minimizing the number of times people need to type it by use of SSO, passkeys, and password managers. Have them write it on a paper and keep it in a safe for when they forget it.

This is a better use of the finite practical appetite for complying with policies than the idiotic "forcibly change it every 90 days" + "Your 8 character password needs to have at least one number, one uppercase, and one of these specific 8 characters: `! @ # $ % ^ & *`"

By the way, to quote Old Biff Tannen, "oh, you don't have a safe. GET A SAFE!"

tharkun__ 4 days ago

Don't tell them. I don't want to have to enter 30 characters. And it does not help for the people you'd need it for anyway.

    1234567890a1234567890@1234567890
Better?

No, just longer to type. You can't fix stupid people by making the life of non-stupid people worse.

All you do is for non-stupid people to stop caring and do the easiest thing possible too.

Reply View 6 replies
  • MrDrMcCoy 4 days ago

    That's why we recommend passphrases. That 30 character requirement becomes much easier when it's 3-4 words with a separater. Faster to type, too.

    Reply View 3 replies
    • tharkun__ 4 days ago

      Which does nothing for the "stupid people". I.e. the ones that we put these rules into place for. They'll do what I posted instead (or something else easily guessable and the cycle continues - technological solution to a people problem, i.e. doesn't work)

      Reply View 2 replies
      • pylotlight 4 days ago

        I would hate to be labeled 'stupid' everytime I don't want to type some 30 dumb characters everytime I login. How about no?

        Reply View 1 reply
        • tharkun__ 4 days ago

          Different difference ;)

          I also don't want to type 30 chars, when 15 _properly randomly chosen_ characters would suffice but the "stupid people" chose those 15 characters as "passwordP@55w0rd" and now everyone requires us to write 30 instead because it's "so much more secure" when they write "passwordP@55w0rdpasswordP@55w0rd"

          Reply View 0 replies
  • wycy 4 days ago

    Correct-horse-battery-staple!! is 30 characters and quick to type

    Reply View 1 reply
    • tharkun__ 4 days ago

      Which does nothing for the "stupid people". I.e. the ones that we put these rules into place for. They'll do what I posted instead (or something else easily guessable and the cycle continues - technological solution to a people problem, i.e. doesn't work)

      Reply View 0 replies
bigfatkitten 4 days ago

In the corporate space you should move away from passwords entirely.

Smart cards have had pretty solid ecosystem support for the past two decades thanks to the U.S. Government and HSPD-12, and now we’ve got technologies like webauthn that make passwordless authentication even easier.

Reply View 3 replies
  • majkinetor 4 days ago

    And require smart card, reader, drivers etc... nah

    Reply View 2 replies
    • imtringued 4 days ago

      Every work laptop I've used had a smart card reader directly built into it and I've never used smart cards.

      Reply View 0 replies
osigurdson 4 days ago

In the enterprise, the cost of inconvenience to users is effectively zero. Perhaps even negative as security theater can be a pretty effective way to convince management that something is being done.

Reply View 0 replies
eru 4 days ago

There's one weird trick to get people to have strong passwords (even if you force rotation): don't allow them to pick their own passwords. Randomly generate the passwords for them.

Reply View 1 reply
  • pixl97 4 days ago

    Also don't allow them to copy paste the password. And especially don't allow them to use any kind of password wallet. They will really love you for this and you won't get an excessive number of calls to reset forgotten/lost passwords.

    Reply View 0 replies
kobieps 4 days ago

Preach. Gmail doesn't force password rotation, and one can just imagine the type of attacks they must sustain...

Unfortunately corporate policies evolve at glacial speeds...

Reply View 0 replies
TZubiri 4 days ago

"Your password is too similar to your previous password"

Hmm, how would you know that.

Reply View 4 replies
  • Uvix 4 days ago

    Don't you generally have to enter the current password to change it to a new one?

    Reply View 1 reply
    • TZubiri 4 days ago

      Interesting. I guess you could do it on the frontend by asking for old and new passwords simultaneously and sending the hashes to the backend.

      That said, it means that you can skip this check by hacking around the front end check haha

      Reply View 0 replies
  • tharkun__ 4 days ago

    By making it less secure. Like those auth schemes back in the day that sounded great in theory until you figured out that in order to implement them the provider had to store them un-hashed. No thanks.

    Reply View 0 replies
Retric 4 days ago

I’m doubtful a 30 digit minimum password is a meaningful improvement over a 20 digit password here. Meanwhile actually typing in very long passwords adds up across a workday/year especially with mistakes.

Reply View 5 replies
  • xp84 4 days ago

    I think if done right, typing that password should be more like a once a quarter exception rather than a daily occurrence.

    Granted - there are blockers to getting there. IDK why for example, macOS can't use Touch ID from a cold boot, that's stupid, at least when there haven't been too many failed attempts or anything.

    Reply View 2 replies
    • zimpenfish 4 days ago

      > macOS can't use Touch ID from a cold boot

      Isn't that because the Secure Enclave (the only place which contains the Touch ID biometric data) is locked by your password?

      "When a user's password is set up on an Apple Silicon Mac, the password is passed through a one-way hashing algorithm that produces a key used to encrypt the Secure enclave's key."[0]

      [0] https://blog.greggant.com/posts/2023/04/14/the-security-encl...

      Reply View 0 replies
    • Retric 4 days ago

      Touch ID isn’t that secure. It’s fine for personal devices, but I wouldn’t trust it alone in a government or cooperate environment.

      A ~1:50,000 error rate per finger added sounds fine, but lose a few laptops and have multiple valid fingerprints etc and the odds quickly look significantly worse. Or a janitor could end up trying to log into a significant number of machines etc.

      Reply View 0 replies
  • imtringued 4 days ago

    You're only supposed to type your password at most once a day to sign into SSO.

    Reply View 1 reply
    • Retric 4 days ago

      Then how do you suggest authenticating not just in the morning but after lunch, going to the bathroom, any physical meetings, etc?

      Reply View 0 replies