Forcing users to periodically change their passwords should go the way of the dodo according to the US government
https://www.pcgamer.com/software/security/forcing-users-to-periodically-change-their-passwords-should-go-the-way-of-the-dodo-according-to-the-us-government/
18 Comments
what they’re saying makes a lot of sense, especially when half the time you can’t use your last 5-10 passwords so there’s the constant need to come up with something new
code no-word. code. passcode.
First off, its an article to sell you a password manager.
But there’s two competing ideas here:
1) Since we are human and have human limitations, requiring us to constantly change our passwords encourages us to make passwords that are easier to hack or bypass. (i.e. if the password is too complicated you are likely to write it down, and if you write it down someone can physically steal the password you wrote down).
2) Since we are human we can only remember so many passwords and since so many things require logins we will probably wind up [reusing passwords.](https://xkcd.com/792/)
Solutions to the first problem make the second problem worse. [If we get a password that is exceedingly hard to hack or bypass that we can also remember easily](https://xkcd.com/936/)…. we will reuse that password more often. If we never reuse passwords then we will need to “store” more of them meaning they will be less complex or easier to bypass.
That brings in the ads for purchasing a password manager. “Why try to remember the passwords yourself when you could give them all to our app and our app will remember them for you?” But if we are being honest… that’s almost the exact same problem as writing the password down in the first place.
The concept of having to periodically change your password always struct me as being very similar to security through obfuscation, just on a user side instead of an application side. Especially now that we have a reliance on random password generators. 2FA was supposed to be (1) something you know (2) something you have. But we don’t really “know” our passwords anymore.
lol this article reeks of Russian propaganda…I’ll be changing my passwords, thanks
When you have shit like this you just get Pass.word.1 then pass.word.2 then pass.word.3 nothing fundamentally changes. The best password field will allow you to type a whole phrase as a password. Something straightforward and obvious but wildly obscure. Eg, “An apple falls because of gravity” would take trillions of years to brute force. But obviously the phrase is contextual to you.Â
You know what else is bad? Password change forms online which don’t allow you to copy and paste. I use a password manager, the most secure password is a long random (with certain characteristics) password. But by making people type it rather than copy in from a password manager, they’re encouraging shorter, less secure passwords.
2FA fixes this
Passwords themselves have to go away. There are better ways to secure logins than letting users use “password123” as their security. Ideally perhaps a combination of biometrics (this is your “login name”) and then a hardware key like a Yubikey to serve as your “password”. Because people cannot be trusted to use sane passwords. Not even 2FA is fully safe.
Ideally social login or 2FA authentication should be implemented everywhere. No use for password if hacker is unable to access authenticator or email.
I use real long ones all separate and I change them every so often.
The government literally makes me change my password every couple months at work
<same old password>01
<same old password>02
<same old password>03
…
<same old password>10
<same old password>01
And on and on. Seriously, I’ve been doing this for DECADES now.
2FA should make this less of an issue.
But changing passwords is just not going to be workable in the long run. People will forget their passwords or just recycle old ones. The only time people really DO change their passwords is if there is news of a compromise.
That creator Thor actually said this cycle of resets created a consistently easy to abuse vulnerability that he was able to expose across multiple different clients.
If your password isn’t compromised, there’s no need to change it.
If your password is compromised, you shouldn’t wait another 87 days to the expiry to change it.
Either way, frequency-forced changes don’t help.
All that happens is people end up with so many passwords in their password graveyard that they run out of passwords they easily remember and start writing them down somewhere, defeating the whole purpose.
This was a thing for a long time, but majority of companies simply won’t follow. this is the problem.