It's time to stop asking users for periodic password changes

Originally published at: https://boingboing.net/2019/06/03/its-time-to-stop-asking-user.html

…

Chief among them, the requirements encourage end users to choose weaker passwords than they otherwise would. A password that had been “P@$$w0rd1” becomes “P@$$w0rd2” and so on.

Those passwords seem equally strong. How is the second weaker than the first?

I’m just guessing, since I’m not a security expert, but if the first one got revealed/hacked/linked to your account, just incrementing that password puts it on a shaky foundation. It’s like a partial key.

But I could be wrong.

But even in that case it’s equally insecure, not weaker.

i think it’s that they are both weak

the theory being people choose weaker, easy to remember passwords, because people wont invest their memory’s attention into something they know will change soon anyway

basically all i want in the world is a key fob that i plug into a machine, enter my private passcode to the fob, and unlock the things i need

currently last pass + my phone is closest to this

too many passwords to remember otherwise

I don’t really understand the allergy to writing passwords down. I keep passwords in my wallet. If I lose my wallet I’m fucked anyway and would change all my passwords immediately. My passwords are brutal in complexity. No one with access to my desk or wallet would be the ones interested in hacking me…

This. The point is, they’re not random, and l33t speak passwords are not secure, they’re checked along with CamelCase, alternating caps, etc etc. Random passwords (like those your password manager generates) are much, much stronger.

As I mentioned in the post, Cory did a story on these, and yes, they’re gamechangers:

I have YubiKey myself and can’t wait for it to be my default auth everywhere, with 2FA TTOP codes in my phone as my backup.

At that point, you basically don’t need passwords anymore.

What’s funny is that Microsoft used to require a monthly password change which led to very weak passwords.

Not because there isn’t a way to make frequently changed passwords strong, but because everyone was so irritated that they just used easy passwords with a digit/month change.

oh cool! i thought it was a reference to software security keys.

this is really neat. i can’t wait to read up on it!

My org has been converting for some time now to two factor and no password changes. And I use a password key store and random generator for personal use. All good practices.

Asking users to create passwords at all is crappy security practice and always was. Forcing them to use numbers and special characters is worse – it directly causes the existence of “Useful Passwords.docx” on everyone’s parents’ computer, makes passwords easier to shoulder-surf, and prevents the use of three randomly-selected words as a password (which is in every way better).

Forcing regular password changes has all the problems outlined above, plus it encourages the scenario where someone trying to log into some dodgy e-commerce site systematically helpfully provides each of their slightly-different passwords one by one.

(If you haven’t spent any time looking at logs, you might be surprised how common it is to see error messages of the form “Login failed for username JohnDoe123SecretPa55word” where someone failed to press tab after entering their username; and that’s on systems that don’t routinely store passwords as plain text, let alone harvest them for nefarious purposes).

You can easily extend this same attitude to “why lock my phone?” Physical security is king.

Is that really an attack vector for hacking accounts in an age of database compromises though? Getting mugged for your passwords? Passwords I use everyday I just naturally end up practicing and don’t write down. The ones I do write down I don’t make it clear what account they are for (I also mentally salt them and only write down the unique parts) And I’m not talking about nuclear launch codes. I think losing an unlocked phone would be much more catastrophic.

This isn’t actually Microsoft’s idea, nor is it particularly new. NIST changed their recommendations to stop forcing users to change their passwords back in 2016. Fortunately Microsoft is catching up.

Or natural language passwords that are difficult for computers to guess but easy for users to remember.

The stupid 8-char passwords with forced capitalization/numbers/symbols just make users forget and request a reset or they write it down on a sticky note and put it on their monitor frame.

Yeah, but different objects have different vulnerabilities. I’ve found a bunch of cell phones left at the checkout counter or in carts while doing my job, but customers leaving a wallet or purse is a lot rarer.

We’ve learned now that how you store passwords you create is largely irrelevant. Your password is not going to be compromised by someone stealing your phone or your notepad or a post-it.

Terribly managed enterprises will lose their database, and that’s how they will get your password.

Therefore, the single best thing you can do is a unique password per site. The second best thing you can do is to have a complex password that resists brute forcing. Forced password rotations undermine this, for all the reasons stated.

Use strong passwords in a password manager, one per site.

To avoid the one other way your password will be taken - compromised login page or phishing attack - use two-factor auth or a hardware key whenever possible.

Lastly, most people don’t think of this as enhanced security, but login systems provided by Facebook and google are great alternatives for a password manager. They are far more likely to block and alert you to a malicious login attempt than a random site will, and both support 2FA as well.

It’s not as secure as a password manager plus 2FA, but it’s the next best thing.

This. Instead of just writing down your actual passwords, why not print a block of 200 random passwords, mentally salt them, and just remember the real one by its location in the list?

Not quite. It was one the order of every quarter when it expired.

But adding to the frustration was that the new password had to be different that the previous set of passwords + it had to meet some inscrutable complexity requirements.

By default IT would also nag you about upcoming password expiration for two weeks prior. Our group eventually came up with a set of Developer-friendly computer settings, that among other things move that notification window down to three days.

Wow, I’ve been hoping for this for 15 years? Or 20? I can’t even remember how long this stupid idea of changing a perfectly good password has been around. One employer forced a change every MONTH, which of course made everyone append MMYY to their password.

Next up: getting rid of “security questions”, an even bigger clusterfuck, which has been around almost as long.