|
I too particularly despise this policy!
That sure must have been a true password story, somehow!
|
|
|
|
|
Quote: If you write a password management system and force people to change passwords every 30 days YOU ARE A BAD PERSON IN REAL LIFE.
I completely agree!
|
|
|
|
|
Agree. Ten days should be the absolute maximum
It does not solve my Problem, but it answers my question
modified 19-Jan-21 21:04pm.
|
|
|
|
|
MadGerbil wrote: If you write a password management system and force people to change passwords every 30 days
this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess.
It is a valid level of security. You should be more than glad they don't make you change your password every week.
And no, they are not bad people for doing this. No more as bad as the doctor who tells you to quit smoking.
I agree it is frustrating, very much so.
|
|
|
|
|
The only way my password can be compromised is by mind-reading... Or I give it away...
So the site (that obviously does not store it ) has no reason to be so hard on me...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
Slacker007 wrote: this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess.
What the experts say: Time for Password Expiration to Die | SANS Security Awareness[^]
|
|
|
|
|
The problem with systems that force people to regularly change passwords is that people have a habit of simply incrementing a number at the end of a password.
So the chances are that if I know your password, I can just try incrementing the number at the end until I get your current password which has probably just been incremented by one.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Quote: this is because if your password is compromised and I have it, then I have only 30 days to use it, before I can't anymore. Not so great for you and the company during those 30 days, but it is better than nothing, I guess.
It is a valid level of security.
It isn't a valid level of security. That policy came from an era when PCs were not connected to the internet, hence someone who wanted to use your compromised password would have to literally break into the office. So limiting the passwords to 30 days mitigated that risk.
Now, if your password is compromised they will, in the first two minutes, install a keylogger, thereby having all future passwords of yours.
It gets worse - because of the requirement of regular password changing, people simply use easy to remember passwords. In effect, the password expiry policy actually forces people to use less secure passwords than they would have done without the policy.
So, no, password expiry is stupid policy, encourages weaker passwords and, IME, only recommended by people who don't know much about security, encryption or stuff like that (i.e. IT and Network staff).
|
|
|
|
|
If your password is compromised, then the hacker has 30 days to casually do what he wants and finish, besides changing the password himself. So what has that 30 day password change accomplished? Nothing. It might be effective if your account is put in a bucket and not bought and used for more than 30 days.
|
|
|
|
|
MadGerbil wrote: Because of this I need to take a hostage.
If you have foul play in mind, I have a list!
I'm not sure how many cookies it makes to be happy, but so far it's not 27.
JaxCoder.com
|
|
|
|
|
Mike Hankey wrote: I have a list!
By any chance, is Mike short for Mikado [^] ?
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
MadGerbil wrote: If I write secure passwords changing TsfI$)#%(fikea;f to IDJOfe30235 isn't an improvement.
it's not a secure password because you will not be able to remember it and you will write it down on a post-it or copy it on a regular text file on your desktop; or you click on the "I forgot my password" button.
Anyway, agreed.
I hate when I have to change passwords.
I'd rather be phishing!
|
|
|
|
|
Every place I've seen this password policy in place I've also seen sticky notes with passwords written on them stuck to the monitors of the user's computers.
|
|
|
|
|
This means they are storing all your previous passwords.
Do they guarantee you that their password storage is never going to be compormised?
|
|
|
|
|
Exactly.
If they get compromised I think they should cover every other system of mine that gets compromised.
Slap a lawsuit on them for that, make them pay for damages, and maybe they'll get rational.
|
|
|
|
|
Hopefully a salted hash of your previous passwords.
But given some of the code that keeps cropping up in QA, I wouldn't guarantee it.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Thanks. New learning today.
|
|
|
|
|
You have no need to store the old passwords... a one-way hash will do...
But if you store one-way hash what do you afraid of?
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
Kornfeld Eliyahu Peter wrote: what do you afraid of?
As Richard says: Go to QA and see what some idiots developers are doing in the real world ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
But of course... only speaking in theory...
(that's the reason that I try to avoid opening accounts on any site, and using google's login if I can)
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
Quote: This means they are storing all your previous passwords.
No, it doesn't mean that. They could be storing the hash of the password and reusing the salt on the new password.
|
|
|
|
|
They likely are only storing hashes of previous passwords.
|
|
|
|
|
|
I may climb a tower over multiple systems, the VPN, Active Directory, Global network, etc. All of them have different expiration policies so syncing up passwords is a real PITA. Don't give me the crap about they all should have different passwords, all those systems are part of the work ecosystem. Currently, I have 3 different passwords because of the timing. There's one of them that expires the fastest, that I can't figure out which part of the environment it controls since I rarely type it.
|
|
|
|
|
I found KeePass here in Code Project, and have been using it ever since. I think it is terrific and have had no problems with passwords since I started using it.
You should give that try.
|
|
|
|