|
Slacker007 wrote: this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess.
What the experts say: Time for Password Expiration to Die | SANS Security Awareness[^]
|
|
|
|
|
The problem with systems that force people to regularly change passwords is that people have a habit of simply incrementing a number at the end of a password.
So the chances are that if I know your password, I can just try incrementing the number at the end until I get your current password which has probably just been incremented by one.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Quote: this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess.
It is a valid level of security.
It isn't a valid level of security. That policy came from an era when PCs were not connected to the internet, hence someone who wanted to use your compromised password would have to literally break into the office. So limiting the passwords to 30 days mitigated that risk.
Now, if your password is compromised they will, in the first two minutes, install a keylogger, thereby having all future passwords of yours.
It gets worse - because of the requirement of regular password changing, people simply use easy to remember passwords. In effect, the password expiry policy actually forces people to use less secure passwords than they would have done without the policy.
So, no, password expiry is stupid policy, encourages weaker passwords and, IME, only recommended by people who don't know much about security, encryption or stuff like that (i.e. IT and Network staff).
|
|
|
|
|
If your password is compromised, then the hacker has 30 days to casually do what he wants and finish, besides changing the password himself. So what has that 30 day password change accomplished? Nothing. It might be effective if your account is put in a bucket and not bought and used for more than 30 days.
|
|
|
|
|
MadGerbil wrote: Because of this I need to take a hostage.
If you have foul play in mind, I have a list!
I'm not sure how many cookies it makes to be happy, but so far it's not 27.
JaxCoder.com
|
|
|
|
|
Mike Hankey wrote: I have a list!
By any chance, is Mike short for Mikado [^] ?
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
MadGerbil wrote: If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement.
it's not a secure password because you will not be able to remember it and you will write it down on a post-it or copy it on a regular text file on your desktop; or you click on the "I forgot my password" button.
Anyway, agreed.
I hate when I have to change passwords.
I'd rather be phishing!
|
|
|
|
|
Every place I've seen this password policy in place I've also seen sticky notes with passwords written on them stuck to the monitors of the user's computers.
|
|
|
|
|
This means they are storing all your previous passwords.
Do they guarantee you that their password storage is never going to be compormised?
|
|
|
|
|
Exactly.
If they get compromised I think they should cover every other system of mine that gets compromised.
Slap a lawsuit on them for that, make them pay for damages, and maybe they'll get rational.
|
|
|
|
|
Hopefully a salted hash of your previous passwords.
But given some of the code that keeps cropping up in QA, I wouldn't guarantee it.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Thanks. New learning today.
|
|
|
|
|
You have no need to store the old passwords... a one-way hash will do...
But if you store one-way hash what do you afraid of?
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
Kornfeld Eliyahu Peter wrote: what do you afraid of?
As Richard says: Go to QA and see what some idiots developers are doing in the real world ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
But of course... only speaking in theory...
(that's the reason that I try to avoid opening accounts on any site, and using google's login if I can)
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
Quote: This means they are storing all your previous passwords.
No, it doesn't mean that. They could be storing the hash of the password and reusing the salt on the new password.
|
|
|
|
|
They likely are only storing hashes of previous passwords.
|
|
|
|
|
|
I may climb a tower over multiple systems, the VPN, Active Directory, Global network, etc. All of them have different expiration policies so syncing up passwords is a real PITA. Don't give me the crap about they all should have different passwords, all those systems are part of the work ecosystem. Currently, I have 3 different passwords because of the timing. There's one of them that expires the fastest, that I can't figure out which part of the environment it controls since I rarely type it.
|
|
|
|
|
I found KeePass here in Code Project, and have been using it ever since. I think it is terrific and have had no problems with passwords since I started using it.
You should give that try.
|
|
|
|
|
Agreed. KeePass is awesome. I like the fact that I can keep the application and multiple password databases (work, home, etc.) on a thumb drive or equivalent so I can always have it with me.
|
|
|
|
|
Two Factor Authentication...
And EMAIL Me when the SECOND Factor Fails, as well as the IP Address.
Text me as well, and allow me to text back: BLOCK (and have it block the IP Address)
I have an encrypted file with HUNDREDS of passwords stored.
You know what PEEVES me... Companies who LIMIT the LENGTH of the password!
Come on! The password gets HASHED, store the hash. Salt should be unique per account.
I like to use: GUIDs + A word or two on each side. You CANNOT imagine the number of sites that won't even take a full GUID as a password.
Everything should have 2FA... IMO... Then password security is less important.
Also, some kind of internet blackhole for where these attacks come from. I used to see them attacking my server all the time, until I configured fail2ban to block on 404 and many other attempts. It took about 180 days before the hackers gave up and my banlist is reasonable.
|
|
|
|
|
My company does the same thing with corporate passwords, which we are required to change every 45 days. I therefore use the tried-and-true {password}{punctuation-character}{month} and change it on the first working day of every month. The punctuation character changes annually.
Software Zen: delete this;
|
|
|
|
|
I keep all my passwords in a password manager program (PasswordSafe), with the encrypted data file stored on DropBox so I can get at it everywhere. This allows me to use unique strong passwords everywhere. With just a double-click, any password is put on the clipboard for easy pasting into the password textbox.
Of course, that means there's one password I actually have to remember & type in myself, which means it's not particularly strong. So, of course, it's the most important --- the one to unlock my PC.
Truth,
James
|
|
|
|
|
... and I like it!
Only a Draper 45cc 2-stroke, with a 18" Oregon bar and chain, but it slices through fallen trees beautifully! Half an hour and it's gone to the firewood pile.
It's got that "friendly tool" feel to it as well - anyone who worked on British motorcycles (or even older Hondas) probably knows what I mean.
There's a spanner in my toolbox, that every time I use it, I'll lose a chunk of knuckle; a chisel that pushes the hammer towards your hand; a socket that fits perfectly but rounds the nut off every damn time; Unfriendly Tools. Every time you pick it up it feels "wrong" but you never know why.
This doesn't. It just feels "right", like it's there to help you rather than bite your leg off. I won't trust it - never trust a chainsaw - but I can relax and let it do the work. Nice.
I've just realized we get them in software too - VS is "friendly", it's like a eager puppy at times. C# is "friendly", if a little strict. FFMPEG is "friendly", if not user friendly. Corel Video Studio is user friendly, but downright hostile: it tries to get in your way as much as it can, until you go back to the FFMPEG command line hell.
Anyone else know what I mean here?
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
AntiTwitter: @DalekDave is now a follower!
|
|
|
|