Comment by SAI_Peregrinus

Comment by SAI_Peregrinus 4 days ago

49 replies

View on Hacker News

Does anyone not add the year & month of the last password change to the end of their password? E.g. PascalCasePassphraseGoesHere2025-06, then at the next required change in (for example) 6 months: PascalCasePassphraseGoesHere2026-01. It almost certainly fits the inane "letter, number, and special character" requirements they probably have, complies with "different from your last X passwords", and is easy to keep track of the change interval. It also adds no security whatsoever! A user could almost certainly get away with Password2025-06, etc.

pcardoso 4 days ago

I once wrote a script to change my password randomly X times and then back to my original password. Worked like a charm.

Reply View 12 replies
  • claudex 4 days ago

    There are policies to prevent changing the password more than once a day to prevent that. I've encountered it in several places

    Reply View 10 replies
    • thih9 4 days ago

      Fascinating. In other words:

      In order to force the user to change their password more frequently (long term), the user is prevented from changing their password too frequently (short term).

      I wonder whether the person who added that is actually confident that the benefits outweigh the drawbacks or is that a case of tunnel vision.

      Reply View 0 replies
    • eqvinox 4 days ago

      There are also systems that keep a history of old passwords just to prevent you from reusing one.

      Reply View 7 replies
      • jandrese 4 days ago

        I like the ones that not only keep a history of your old passwords but will reject any password that is similar to any of your 30 previous passwords, which means they're storing either a plaintext or reversibly encrypted list of every password somewhere on the system. Talk about a goldmine for the hacker that dumps that database.

        Reply View 6 replies
    • Viliam1234 2 days ago

      The obvious solution is to have a Monday password, a Tuesday password, etc.

      Reply View 0 replies
  • HocusLocus 4 days ago

    Password changed.

    Password changed.

    Password changed.

    Error at : broken pipe

    Reply View 0 replies
repeekad 4 days ago

I’ve personally experienced the password change require that “more than X characters be different than the old password”

Reply View 14 replies
  • valleyer 4 days ago

    Um, that's a really bad sign...

    Reply View 12 replies
    • rocqua 4 days ago

      No, you can do it safely. The idea is to have the password renewal process also ask for the previous password.

      This means the password changing method doesn't need to store a plaintext password, but still has access to the old plaintext password when changing. It's still not a great idea, but that's because nagging your users will see them choose worse passwords.

      Reply View 1 reply
    • klysm 4 days ago

      To elaborate for the uninitiated, that means they are storing it in plaintext somewhere.

      Reply View 6 replies
      • mattmanser 4 days ago

        No it doesn't. Shows you how complicated all this is and how the un-initiated (including me) should learn to not give their two cents.

        When you do the password change it asks you for the old one, that's how it knows.

        So it asks for old + new, checks old is correct against the hash, and then compares old + new likeness.

        So it all happens in memory.

        Reply View 0 replies
      • _moof 4 days ago

        Unless they ask you for your current password as part of the password change flow.

        Reply View 0 replies
      • mx_03 4 days ago

        Is there any way to check that with non-plain-text password?

        Reply View 3 replies
    • dspillett 4 days ago

      Not if the check is done client-side, so the plain password never leaves you local domain. Of course the check being done client-side means that it isn't difficult to skip if you are inclined to make a smidgin of effort.

      Reply View 2 replies
      • thih9 4 days ago

        It can be done server side too, the old password can be sent along the new one and the server can verify it.

        Reply View 1 reply
        • dspillett an hour ago

          Yes, what I meant to say that it doesn't even have to be done server-side, so the fact it happens doesn't imply the server ever sees the old password beyond it's initial setting.

          Reply View 0 replies
  • [removed] 4 days ago
    [deleted]
    Reply View 0 replies
deathanatos 4 days ago

I just let the keyring roll a completely new password. For some reason, all of my employers do require this insanity, but not on the one password I have to actually type.

Reply View 18 replies
  • bisby 4 days ago

    I once had an employer that required us to use passworded SSH, and disallowed SSH keys, because they couldn't enforce that the SSH keys were passphrase protected, so just turned that option off.

    They said it was a PCI requirement, or something.

    Reply View 15 replies
    • yardstick 4 days ago

      PCI requires multi-factor auth these days, so you’ll likely find now the ssh password will be your password plus a OTP at the end.

      Reply View 8 replies
      • mazone 4 days ago

        PCI DSS from 4.0 actually have something called customized approach for everything. If you can prove and the QSA agrees that you fullfill the goal of a requirement, you can be quite flexible. Example i am doing things like not using passwords at all and only passkeys, or only ssh keys protected by hardware security key etc. Together with agents trying to verify the devices connected are company owned and hardened in different ways. Your milage might vary depending on how good your auditor is but PCI DSS standard do have quite a bit of flexibility in it.

        Reply View 3 replies
      • notpushkin 4 days ago

        Isn’t there a way to ask for OTP after initiating the SSH session?

        Reply View 3 replies
    • jerf 4 days ago

      This is not as illegitimate as it may sound to you. You may not hear about "getting someone's SSH keys" very often, because we only hear about "vulnerabilities" on places like HN and this isn't a "vulnerability" in any software.

      But getting someone's SSH keys and then running off and doing other things is a very normal part of any focused attack in which attackers use some foothold to start pivoting into your systems. It's one of the first things an attacker will check for, precisely because it's high likelihood they'll find one and high reward if they do. It's an extremely serious threat that you don't hear about very often, just like you may not hear about "the sudoers file left something open with passwordless access it shouldn't have and the attackers lifted themselves up to root from there" even though it's a major part of many actual incursions. I'm aware of multiple cases in which someone's passwordless SSH key played a part of the process.

      So that really is a legitimate problem and turning them off is not security theater but can have a real impact on your security posture. The problem is solved nowadays with adding other auth to the process like proving possession of a physical token as part of the login process.

      Reply View 5 replies
      • seadan83 4 days ago

        > But getting someone's SSH keys and then running off and doing other things is a very normal part of any focused attack in which attackers use some foothold to start pivoting into your systems.

        Though, if someone gets that far, couldn't they also install a key logger on the users system? At that point - whether it's just password or a password enabled SSH key, anything the user does is all compromised regardless.

        Reply View 4 replies
  • SAI_Peregrinus 3 days ago

    Whenever I don't have to type it, that's what I do. It's the login (or password manager password) needing this counterproductive crap that gets the "append a date" treatment. It's a 10-word diceware passphrase, only used for that login anyway, it's not getting breached if it's stored in even a remotely secure manner (even an unsalted hash would be safe).

    Reply View 0 replies
  • delfinom 4 days ago

    They do it because their IT departments are checklist monkeys with no actual brainpower there, AND/OR they have cybersecurity insurers that mandate it who also have nobody with actual brainpower working there.

    Reply View 0 replies
kelnos 2 days ago

When I first set up an account at a new org or whatever, I don't think about the possibility of rotation later, but once I get my first "your password has expired and needs to be reset" message, I just add a counter to the end of the password that I increment each time I'm required to change it. Successive passwords have no less entropy than the original password, anyway.

Fortunately, I haven't encountered a system that does a similarity check when changing the password.

Reply View 1 reply
  • [removed] 2 days ago
    [deleted]
    Reply View 0 replies