Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security United Kingdom

New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste 148

isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."
This discussion has been archived. No new comments can be posted.

New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste

Comments Filter:
    • by Anonymous Coward on Thursday September 10, 2015 @04:40PM (#50498871)

      The simple fact of the matter is that when it comes to secure passwords, size matters and little else does. If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were so that the monthly forced rotation doesn't reject your new password because you've used it before.

      • by sudden.zero ( 981475 ) <(moc.liamg) (ta) (orez.neddus)> on Thursday September 10, 2015 @04:46PM (#50498931)
        Someone mod this up. This is totally correct! Until my work started making us change our password once every 60 days, and required that the last five passwords can't be reused, I had a very secure password memorized. Now that they implemented these "security" protocols I have to have a list to keep track of what five passwords were used last, and what the current password is. It's the most retarded requirement ever!
        • by NicBenjamin ( 2124018 ) on Thursday September 10, 2015 @05:53PM (#50499409)

          I have a simple password. I increment. I use the same one at both jobs. They're actually incremented to the exact same digit at the moment.

          I doubt it's secure, but it allows me to avoid hassles.

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            But that's the idea behind "frequent changing passwords a waste". I don't even know why changing your password is more secure than keeping a password. Normally you only get a limited amount of tries before your account gets locked anyway. So what does it matter when you keep the same password for the couple of years you use a particular service? And most service you keep for a longer time have better build in security anyway. Like the requirement to verify an e-mail when you log in on a new computer, or sen

            • by wwphx ( 225607 )
              As ubiquitous as smartphones are, especially in IT staff, I'd like to see a proximity tie. You walk in to your office, you sit down at your computer, the computer has already identified your phone and is waiting for a password that can be simple since your phone must be proximate -- it does not fully unlock until you do something at the keyboard. Maybe have a certificate exchange, or in the case of later model iPhones, add a fingerprint swipe. (Yes, I saw the Myth Busters on spoofing fingerprint scanners
        • by Anonymous Coward on Thursday September 10, 2015 @11:27PM (#50500639)

          I was an admin for a small company (~50 users) that was owned by a bigger company. I had all of the users make their network password something that they could remember; they were not allowed to write it down. I also recommended that they change it periodically but it wasn't required. Periodically I would suspend the account locking and attempt to crack users passwords. Any users were notified that they needed to change theirs immediately. If it happened again, I would have to get their supervisor involved, It never happened. Life was good.

          Then the parent company hires a new seagull manager and he comes in and demands that we update our password policy to have passwords expire after 30 days and a password history of 12. They also needed to be complex and be 8 characters. He claims the change was taken word-for-word from Sarbanes-Oxley requirements. I told him that I had read Sarbanes-Oxley and it stated only that a sufficient password policy needed to be in place, which is what we currently had. I even pointed it out to him. It made no difference.

          Within weeks, you could find post-its with passwords on them under about half of the keyboards in the office. I knew it would happen.

          The parent company also never had account locking enabled because "it just causes more calls to the helpdesk". I at least got that changed when I showed him how easy it was to brute force with a rainbow table. The look on his face was like I was doing magic. When a junior admin is teaching the supposed director of information security how to do their job, there is a big problem.

          I left not long after that. I heard that he got fired a few years later, so at least there is a god.

          • I was an admin for a small company (~50 users) that was owned by a bigger company. I had all of the users make their network password something that they could remember; they were not allowed to write it down. I also recommended that they change it periodically but it wasn't required. Periodically I would suspend the account locking and attempt to crack users passwords. Any users were notified that they needed to change theirs immediately. If it happened again, I would have to get their supervisor involved, It never happened. Life was good.

            Then the parent company hires a new seagull manager and he comes in and demands that we update our password policy to have passwords expire after 30 days and a password history of 12. They also needed to be complex and be 8 characters. He claims the change was taken word-for-word from Sarbanes-Oxley requirements. I told him that I had read Sarbanes-Oxley and it stated only that a sufficient password policy needed to be in place, which is what we currently had. I even pointed it out to him. It made no difference.

            Within weeks, you could find post-its with passwords on them under about half of the keyboards in the office. I knew it would happen.

            The parent company also never had account locking enabled because "it just causes more calls to the helpdesk". I at least got that changed when I showed him how easy it was to brute force with a rainbow table. The look on his face was like I was doing magic. When a junior admin is teaching the supposed director of information security how to do their job, there is a big problem.

            I left not long after that. I heard that he got fired a few years later, so at least there is a god.

            we just got yet another system added to our list of systems we need passwords for; this one expires after 90 days, with no warnings, and locks you out so you can't change it once it expires without going through the help desk. I think they'd be happiest if they could just keep everybody from accessing the system.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Here's the problem in a nutshell:

        When I work for , initially I only have 1 password to memorize. As I gain tenure, more systems I gain access to, which have their own password rules. By the time I'm eligible to "move up" to another position I may have 23 different username and password combinations, of which some have rules that contradict others.

        So there is a huge loss in productivity having all of these passwords be unique. I wound up keeping the lesser-used passwords in a PDA. So if that PDA was ever los

        • by mlts ( 1038732 )

          The This is what AD and LDAP are for. This at least reduces the amount of passwords to a manageable level, mainly to environments. Of course, there are exceptions [1], but in general, SSO tends to be useful.

          It isn't NFC card access, but the closest thing that comes in mind for this was something Blackberry offered back in 2008/2009, where the Blackberry device could function as a CAC/PIV card via a Bluetooth adapter.

          What I'd be happy with would be a card that took the place of both a SD card and a SIM, an

        • I hope there's not some serious vulnerability to KeePass that I haven't heard about. That little program is a lifesaver for me. Unfortunately, the Mac version is rekt so I can't run it on any of our Apple hardware.

        • by Alumoi ( 1321661 )

          Wow, you mean something like the smartcard I've been using for the last 15 years? Yeah, we really need some new and (more) insecure technology.

        • by wwphx ( 225607 )
          I've always wanted to create 'red alert'/honeypot account names and passwords that I could put on sticky notes and any use of those would immediately disconnect the system in question from the network, shut it down, and trip security alarms. I'd frequently put such on the bottom of server console keyboards just to screw with people who bothered to look.
        • Here's the problem in a nutshell:

          When I work for , initially I only have 1 password to memorize. As I gain tenure, more systems I gain access to, which have their own password rules. By the time I'm eligible to "move up" to another position I may have 23 different username and password combinations, of which some have rules that contradict others.

          So there is a huge loss in productivity having all of these passwords be unique. I wound up keeping the lesser-used passwords in a PDA. So if that PDA was ever lost or stolen, I'd still be able to do work, but if one of those unique-cases came up, I'd have to lose the productivity then.

          Other people keep passwords on stickynotes on their PC.

          The problem, is, that passwords are bad.

          With the advent of smartphones/watches, it should be possible to just start having PC's have NFC built into the computer screen, and placing the phone near the screen leaves the PC unlocked and all accounts accessible until the phone is moved two meters away from the monitor. Forget your phone at home? Did it get smashed? Then your boss can issue you a NFC ID card and temporary/permanently revoke the phone.

          This also prevents password sharing because taking the phone or NFC card to another machine kicks out the previous login.

          Good luck getting Google and such implementing a common NFC card access.

          Here's the thing; when you forget your password, or it locks you out, you can just call the help desk, or go through some web page; and they ascertain your identity by a few different pieces of data; your social security number, your date of hire, your mother's maiden name, etc. So, basically, the insertion of a password into the chain of events grants you no extra security than just having you answer these questions when you want to log in. So come up with a slate of such challenge questions of which you h

      • by Anonymous Coward

        Writing a passphrase down is not necessarily insecure. It depends on where you keep it and who your adversary is (if there is one).

        Considerations and recommendations about passphrases only make sense in the context of their use and with the overall security system and its purpose in mind.

        • Writing a passphrase down is not necessarily insecure. It depends on where you keep it and who your adversary is (if there is one).

          Considerations and recommendations about passphrases only make sense in the context of their use and with the overall security system and its purpose in mind.

          every once in a while, a password writer downer realizes that instead of writing down the password they can write down the keys to the left of the actual ones in the password, or some such.

      • Or.. (Score:5, Insightful)

        by s.petry ( 762400 ) on Thursday September 10, 2015 @06:46PM (#50499691)

        You memorize a single strong password for a key storage program like Keepass, and only bother with 1 strong password being changed at your recommended frequency. I can change all of my other passwords randomly as often as I want and don't need to remember them all. I keep the encrypted DBs on a Thumb drive in my pocket, and a backup in a safe.

        While not perfect this setup is safer due to the lack of a keylogger picking things up. No system is perfect so I go for "better" and "best practices". I would much rather have a 20+ character password for my DB I change every 9-12 months than try and remember dozens and dozens of various passwords I have for everything else.

        Oh, I should add that I use multiple databases for multiple purposes. I don't mix business and pleasure.

        • You memorize a single strong password for a key storage program like Keepass.

          I've always wondered if the password storage programs are targets for attack and if so how secure they actually are. They seem vulnerable to keyloggers, for example, or password attacks on the master password.

          • by s.petry ( 762400 )

            You memorize a single strong password for a key storage program like Keepass.

            I've always wondered if the password storage programs are targets for attack and if so how secure they actually are. They seem vulnerable to keyloggers, for example, or password attacks on the master password.

            Yes they are vulnerable, and the people coding them know they are vulnerable. I won't used closed source code for that reason, it would be too easy for someone to build in back doors.

            Everything is vulnerable to a key logger, which is why you don't use devices you are unsure of. Mid stream, the password manager is safer because it uses memory only, not input devices.

      • by Alioth ( 221270 )

        Hmm. Relevant XKCD https://xkcd.com/936/ [xkcd.com]

      • by Anonymous Coward

        You should only be changing passwords when you think you might be compromised.

        And your good password is good because it is unmemorable, there's no shorter way of remembering it. So it gets written down. After a while you can sort of remember it and after some time more, you CAN remember it. But if you ever have to change it, you have to write it all down again and relearn.

        So your good password should only be used when you think the resource locked by it worth that.

        Otherwise MAKE UP A WORD. ginwitfanstable.

      • If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password [...]

        It depends. If you use the same password on multiple systems, then it's only as secure as the least-secure of those systems. If you never change it, for all you know, someone has compromised one of the weaker links in that chain and been able to log on as you for months or years.

      • Why limit at 12? Why not let people use full sentences, also compatible with symbols and case sensitive?
    • So what exactly can "they" do with my /. password?
      • So what exactly can "they" do with my /. password?

        Not much. But if your /. password is also your Citibank password, they can do a lot.

        Password reuse is dumb, and they should not be saying it is ok.

        • I wonder if that's why they are saying "Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."

        • They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.

          • They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.

            If your bank hasn't provided you a token then find another bank. No excuse for forcing users to use using password logins at this point.

        • It's not and I've posted my password here before and nothing happened.
  • Makes sense (Score:5, Insightful)

    by AuMatar ( 183847 ) on Thursday September 10, 2015 @04:08PM (#50498593)

    The fact is, most of the accounts I have passwords for don't really matter. I don't give a shit if someone gets access to my slashdot account. Or if they get access to an old video game forum or two. So there's no reason to give those things really secure passwords. The things that need secure, unique passwords are your email, your bank/broker, and anything that would truly upset you if you lost access to. Give the rest some default password and stop caring.

    • by Qzukk ( 229616 )

      Yeah, I think if I had to rate in order from most secure to least secure I'd have to say it's something like:

      brokerage account
      SSL certfificate account
      bank account
      steam account
      gmail account
      ~~~
      various forum accounts
      ~~~
      slashdot account
      electric company account (please break in and pay my bill for me!)

      • Re:Makes sense (Score:5, Insightful)

        by Anonymous Coward on Thursday September 10, 2015 @04:30PM (#50498783)

        Your email account should be the top of the list as access to that typically allows someone to reset all of your other accounts.

        • by AmiMoJo ( 196126 )

          You should have 2 factor auth on your email account, minimum. As you say, once someone is in there you are screwed.

      • Re:Makes sense (Score:5, Informative)

        by DaphneDiane ( 72889 ) <tg6xin001@sneakemail.com> on Thursday September 10, 2015 @04:35PM (#50498819)

        electric company account (please break in and pay my bill for me!)

        You might want to move electric company account up the list. Utilities bills are often used as proof of address when verifying identity.

        • electric company account (please break in and pay my bill for me!)

          You might want to move electric company account up the list. Utilities bills are often used as proof of address when verifying identity.

          Since the article is talking about the UK guidelines here, check out this list [www.gov.uk].

        • by AmiMoJo ( 196126 )

          When I recently opened a new bank account all they wanted was details of my other bank account, with another bank. I was moving my payments over anyway, but they didn't ask for any proof of ID. I did the whole thing online, the account was set up in minutes.

          I wonder how much information I'd have to change, e.g. putting a different address on the new account, before they would start to worry...

    • by raymorris ( 2726007 ) on Thursday September 10, 2015 @04:29PM (#50498775) Journal

      That's what I do now, I basically classify things as low, medium, or high security. I don't want to remember a thousand different passwords and don't care to use a password manager for sites like Slashdot or other news sites I comment on. So low-impact sites all get the annual password when I register.

        I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.

      For a while I did something that might be better. I had an algorithm and a little utility program which generated a unique password based on my master password and the domain name. So something like sha1(mypassword, 'slashdot.org'). That gave me different passwords, without remembering them all, and without being tied to one specific password manager. I could "recall " my password on any device at any time. Actually, I chose an algorithm that I COULD compute in my head, though with considerable difficulty.

      • by fisted ( 2295862 )

        I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.

        That's actually a nice idea

      • That's what I do now, I basically classify things as low, medium, or high security.

        Me too so I set all my passwords to 'low', 'medium' and 'high' depending on security level so I won't forget which is which.

        Damned websites keep complaining that my password has to be longer than three characters though - and I have no way to say 'but your site doesn't matter to me so three is just fine'.

    • I'd advocate having a "default" password but making it unique to the site or service by adding some string to the end based on the name of the site (or some other easily memorable thing). e.g. your shashdot password might be "DefaultPassword1234Slashdot" whereas your reddit account might be "DefaultPassword1234Reddit". It's basically zero cost to remember yet still gives some protection against someone running a script on a compromised username/password database.
    • by khasim ( 1285 )

      Now imagine that one of those junk sites gets cracked. They now have:

      1. your email address
      2. your password for that site
      3. the "security" answers you've provided

      Using #1 & #2 they can try to access other sites to collect more of #3.

      Have you used the same email address (#1) and security answers (#3) on critical sites? If so, they can potentially bypass the password (#2) that they do not have for those critical sites.

      So, unique passwords AND unique email addresses (with unique passwords) for critical site

      • by AuMatar ( 183847 )

        You provide real answers for security questions? That's you being fucking stupid. Just mash the keyboard.

        • That works until you need them.

          • A password manager usually has a comments block to be filled in by the user.
            Insert the "secret question" and its (made up) answer into the comment block. Then you don't have to bother to remember them, and there's basically no way to guess them, since they have no bearing on reality - "what was your first pet's name? Ford Prefect"....
            • Ford Prefect is unlikely to arise by mashing the keyboard.

              And if you aren't using a password manager, or you didn't note down that your mother's maiden name was FHGFHGFHA?

      • by fisted ( 2295862 )

        If you meaningfully fill in the 'security answers', then you're already doing it wrong

        • by Cederic ( 9623 )

          My bank gets confused every time my answer to, "What's the first school you went to?" is "I don't know"

          I have stopped using 'fuck off' as my mother's maiden name though. Even I found that one awkward over the phone.

    • Your Karma sucks so bad?
    • I have memorised 3 alphanumeric passwords which are the basis of all of my passwords. Basically I rotate two of those three passwords through all the crap I don't really care about. Worst case scenario is it takes me 2 log in attempts to get the right password on any given site

      When it comes things I care about it gets all three passwords combined making a stupidly long alphanumeric that is really easy to remember.

  • by WillAffleckUW ( 858324 ) on Thursday September 10, 2015 @04:09PM (#50498595) Homepage Journal

    If you make it too hard for them, they either use weak passwords or they tape them next to the monitor so that you can human engineer the security with a camera enabled pen or purse or water bottle you "forget". Or they type into the notes feature on their easily guessed cell phone.

    (caveat: I used to be the acting regional security officer for a military region, so I have absolutely no idea what security measures get defeated and will deny knowing such information)

    (extra caveat: facial recognition is pretty useless and easy to defeat, as are most biometrics)

    • by dpidcoe ( 2606549 ) on Thursday September 10, 2015 @04:40PM (#50498879)
      Yep. When I worked in IT, security kept enforcing stricter and stricter password guidelines. Eventually it boiled down to basically every. single. user. picking a password in the format of [Kids name][kids birthdate]![number representing how many times they'd had to change their password]. It got to the point where if I had to fix someones computer but they weren't at their desk I'd just check their hire date and multiply number of years worked by 4 (for the end number) examine whatever family pictures they had framed there and have the password in 3-5 guesses.

      This is the same security that disabled ability to use attachments over webmail, took down our secure FTP server, revoked contractor access to our version control system, made it extremely hard to obtain VPN access, and then was completely surprised when users started sending files via personal e-mail and dropbox.
      • Another agreement here.

        I work in the NHS and we have to change passwords on OS login and most applications every 28 days (passwords must be 8+ characters (IIRC), must contain at least one number amongst those and must also contain at least one upper case letter). This results in either a) people writing their passwords down and keeping them handy or b) using the same password every month and changing two digits to account for the month (I use option B as it should be marginally more secure, assuming our IT

      • This is the same security that disabled ability to use attachments over webmail, took down our secure FTP server, revoked contractor access to our version control system, made it extremely hard to obtain VPN access, and then was completely surprised when users started sending files via personal e-mail and dropbox.

        Let me guess - you work at the white house supporting Hillary?

      • Comment removed based on user account deletion
    • by dplong ( 316604 )

      Re facial recognition. I worked in the video-surveillance industry for a few years, and video analytics, especially facial recognition, is a big joke. False positives render it near useless.

  • by YrWrstNtmr ( 564987 ) on Thursday September 10, 2015 @04:14PM (#50498633)
    Let's ask former Ashley Madison members.
    • Not to mention the Gawker hack victims.

      I had dozens of sites I had to go change passwords on. Good thing I keep a list of what username/password combinations I use where, and the one I had used for Gawker was the one I use for "throwaway" comment board registrations.

      Unfortunately, it was also very close to passwords I use for slightly more security, like work and email, so I had to change those, too.

  • by nickweller ( 4108905 ) on Thursday September 10, 2015 @04:19PM (#50498685)
    A portable hardware device that generates one-time-only passwords. The master keys never leave the device and can be revoked in the event of the device getting lost. Hacking any individual device provides no clues that can be used to hack the other devices.
    • that's how really secure systems get hacked, because the generals tend to attach it to the secure laptop case along with the key, making it a one stop security breach waiting to happen.

      "it will never happen to me" - can't tell you how often it happened, walk into the insecure lunch area, grab the case, pop the top, use the hw device, and home free and they haven't even finished their first cup of tea or coffee. return it to them and they assume if you have a valid uniform you must be ok, nobody ever checks.

  • by jtownatpunk.net ( 245670 ) on Thursday September 10, 2015 @04:26PM (#50498747)

    Must have a mix of upper case, lower case, numbers, and special characters. And it can't be any of my last eleventy-six passwords. "It's been a while since you've logged in from the mobile application. Please change your password." What the flying fuck?!? I just wanted to check my balance and now I have to change my password.

    • You could have the opposite. My bank requires a 6 character password no special characters and no capitalisation allowed with the username being printed on all your bankstatement. And with their new update once you have got access to the account you can transfer the entire balance of the account to anyone who has received a payment before. Their argument is that you needed to do an sms verification the first time, so that kid you paid to fix your pc? he can now receive the entire contents of your bank ac

      • by jrumney ( 197329 )

        no capitalisation allowed

        The bank's response: How can a 4 digit number have capitals anyway?

    • What the flying fuck?!? I just wanted to check my balance and now I have to change my password.

      I remember in the past some online banking sites did this right. You could log in to check balances with the basic password, but you'd need stronger credentials to make payments. Now they want me to use up numbers from the one-time pad both for the initial login, and again for the payment.

      I understand the balance and transactions can be sensitive information to many people, but losing money directly should be a more immediate concern. As many other commenters are pointing out, the level of crypto should

  • by Okian Warrior ( 537106 ) on Thursday September 10, 2015 @04:28PM (#50498773) Homepage Journal

    Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.

    So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.

    OK - got it.

    • Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.

      So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.

      OK - got it.

      I am pretty sure (hoping) you are being sarcastic because that is not what the quote says at all. It is only ok to re-use a password when both systems have equivalent levels of data value.

      To provide a car analogy: It is perfectly fine to use the same key for both my Toyota Corolla and my Ford Focus. However also using that key for my Aston Martin would be unacceptable.

    • Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.

      So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.

      OK - got it.

      Funny but the re-use logic goes in both directions.

    • by rastos1 ( 601318 )
      No. But it is OK to use a strong password and well secured system to store your lower value data and then reuse the same password on equally or better secured highly sensitive system.
  • less password01? (Score:5, Insightful)

    by sims 2 ( 994794 ) on Thursday September 10, 2015 @04:34PM (#50498811)

    Does this mean I won't have to change my password from password01 to password02, password03 ect?

    You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.

    Simple1! fulfills most companys password requirements.

    If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy

    It will have to stop changing on a arbitrary basis.

    • by Calydor ( 739835 )

      6B=1X8Vg+Bxqfs=2oPEy

      Isn't that the proof to Fermat's Theorem?

    • Does this mean I won't have to change my password from password01 to password02, password03 ect?

      You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.

      Simple1! fulfills most companys password requirements.

      If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy

      It will have to stop changing on a arbitrary basis.

      At least some authentication systems can stop you from using a new password that is too much like your old password.

      • They have this at my employers and it has always worried me.

        For this to work they'll have to store the password in clear somewhere so they can make comparisons.

        If they used the conventional approach of passing the given text through a few iterations of SHA then even just bit difference in given passwords would make a huge change to the encrypted one - so how could they tell if the new one was similar to the older one?

        • They shouldn't be able to check against all your old passwords, but at least for the most recent one you generally need to enter both the old and new passwords together in order to implement a password change, to prove that you're the rightful owner of the account. Thus they don't need to have the old password on file to check for similarity, they can simply compare against what you just sent them.

          Of course, a really secure system wouldn't include sending them the password at all—it should be used on

        • They have this at my employers and it has always worried me.

          For this to work they'll have to store the password in clear somewhere so they can make comparisons.

          If they used the conventional approach of passing the given text through a few iterations of SHA then even just bit difference in given passwords would make a huge change to the encrypted one - so how could they tell if the new one was similar to the older one?

          By decrypting them? :-)

    • by Nemyst ( 1383049 )
      Now guess what happens when the system not only asks for a new password three times a year, but also restricts the password to never have been used before and to be exactly eight characters? People find a short 5 character password and append NYY (N = password number, YY = year).

      Yes, I have to use such a system. Yes, it's as awful as you'd think it to be.
  • by xxxJonBoyxxx ( 565205 ) on Thursday September 10, 2015 @04:38PM (#50498865)

    RootPassword!1
    RootPassword!2
    RootPassword!3
    and so on.

  • This just in ...

    Governments around the world agree; just use your name or '1234567'. It is estimated that governments (and taxpayers) will save billions on expensive technology used to decrypt worldwide communications. Garth Grunt (not his real name), representing an anonymous spy agency in an anonymous country says "Do the patriotic thing. Loosen up your security so that we can protect you better."

    That's today's headline, now for the rumors behind the news...

  • by HannethCom ( 585323 ) on Thursday September 10, 2015 @04:46PM (#50498925)
    Microsoft Research found that the maximum times people could change a password and have it secure is twice a year. This was the absolute limit where they suggested that a more realistic limit was once a year. Any more than twice a year and people had to start writing them down, or use insecure passwords that were easy to remember. A common one being an easy to guess word with an incrementing number after it.

    The irony is that Windows Server defaults to having you change your password every 42 days. 8-9 times a year.

    How do I know this? I studied for the Microsoft Security Test. They had one required book for studying and one recommended book for studying. The required book would help you pass the test. The recommended book was written by Michael Howard, Microsoft's top secure code specialist. In the book, Writing Secure Code, he would reference the research division's work. Basically the book said that everything on the test and the other book was wrong. I have taken courses in security which matched what Microsoft Research and what Michael Howard said. I would highly recommend reading Writing Secure Code, as even with taking courses on it, I learned a lot from that book.

    For the record, I didn't pass the security test. I got 1 question "wrong." I don't know about now, or if the test still exists, but you used to have to 100% it.
  • by future assassin ( 639396 ) on Thursday September 10, 2015 @04:58PM (#50499045)

    Now I don't always remember it 99.9% of the times but what I do is have a pattern that I use to extract 4 letters from a sites name and use 4 or so selected 4 number combos which I combine into a password. At least it gives me different passwords for different sites.

  • Indeed, I have reached Hunter239 on my password now. It sucks having to change it every week.

  • Changing your passwords every so often is important, most password breaches go undisclosed, not all 'crackers' are releasing their findings.
    • by Mouldy ( 1322581 )

      most password breaches go undisclosed, not all 'crackers' are releasing their findings.

      [citation needed]

  • by Anonymous Coward

    https://xkcd.com/936/

  • Some sort of minimum security standard across the damn board would be greatly appreciated.

    Set minimum password strength, length, type requirements. Set standards for hashing and storing login credentials, etc. You adhere to the standard and become certified to do business out on the web. No certification, no web business for you. Though, we sorely need the same standards applied to corporate networks that carry customer information as well. ( Eg: Home Depot, Target, etc )

    Every site has different require

  • With all the password hacks/cracks/thefts, my cynicism has led me to believe that password policies are not about protecting the user, they are about protecting the company. With every damn website and store loyalty program asking you to create an account, it's to the point of absurdity. But they tell you that you need to create a unique password, of course. The uniqueness is not there to protect the user, it's to protect the company from liability when their crappy data policies (storing passwords in plain

news: gotcha

Working...