Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy The Internet

Frequent Password Changes Are the Enemy Of Security, FTC Technologist Says (arstechnica.com) 211

Though changing passwords often might seem like a good security practice, in reality, that isn't the case, says Carnegie Mellon University professor Lorrie Cranor. Earlier this year, when the Federal Trade Commission tweeted that people should "encourage" their loved ones to "change passwords often," Cranor wasted no time challenging it. From ArsTechnica's story: The reasoning behind the advice [of changing password often] is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days. "I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days." Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking. The CIO asked for research that supported this contrarian view, and Cranor was happy to provide it. The most on-point data comes from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill.
This discussion has been archived. No new comments can be posted.

Frequent Password Changes Are the Enemy Of Security, FTC Technologist Says

Comments Filter:
  • by Bigbutt ( 65939 ) on Wednesday August 03, 2016 @09:07AM (#52635417) Homepage Journal

    The current discussion is a password change for our DMZ servers every 30 days. The mid zone servers are currently every 60 days. And corporate accounts are set to 90 days.

    [John]

    • Re:Annoying (Score:5, Insightful)

      by RabidReindeer ( 2625839 ) on Wednesday August 03, 2016 @10:20AM (#52636035)

      You have one and only one password. Either the enemy knows it, and all doors are open, or he doesn't.

      Whether the password changes or not - or how frequently - is immaterial. If the password is known, then you are already pwned.

      Changing the password after someone has already gotten in is almost literally like locking the barn after the horse was stolen - except that in the case of passwords, you could be locking the barn with bandits already inside ready to break security all over again.

      You efforts are much more profitably employed in protecting your passwords to begin with.

      • by Striek ( 1811980 )

        Changing the password after someone has already gotten in is almost literally like locking the barn after the horse was stolen

        Not necessarily - I've always used password rotation as a method to expire inactive accounts also - because let's face it, some accounts will always slip through when they fall out of use (service accounts, vendor accounts, test/development accounts, etc...). Then, by requiring a physical presence to change a password (as in, it can't be done over a VPN or SSH or otherwise remotely), you're requiring an additional form of authentication to reactivate or re-age an account - your access tokens for the buildin

      • Re:Annoying (Score:5, Insightful)

        by TheRaven64 ( 641858 ) on Wednesday August 03, 2016 @11:47AM (#52636737) Journal
        Password rotation is intended to prevent against offline attacks. If someone who grabs a copy of your password db can break the hashes in 30 days, then rotating passwords every 30 days is a good defence: by the time someone has found a password, it won't be valid anymore. The problem is that it's a threat model that doesn't really make sense for most organisations.
        • by Bert64 ( 520050 )

          Most organisations are using active directory for most user accounts, which stores passwords in an extremely weak way...
          If someone malicious has a copy of the password hashes they can simply perform hash passing attacks with them as soon as they acquire the hashes, without requiring any cracking.

          Also password cracking doesn't take a fixed amount of time except for the very weakest algorithms that can be completely brute forced. For most algorithms its a case of trying the most likely passwords first, and in

        • Good point. I was thinking about what good password changing does for the user. If the corporate password database has been hijacked, that's obviously different - assuming that the hijackers can't crack it fast enough.

          Of course, if someone could get in far enough to hijack the password database, then you've got bigger security issues than just those pertaining to a single account anyway.

        • by gringer ( 252588 )

          Except the 2010 study points out that given an old password and simple changes for the new password (as is common), it only takes a few seconds to discover a new iteration of a previous password.

      • by chihowa ( 366380 )

        You efforts are much more profitably employed in protecting your passwords to begin with.

        Or avoiding passwords altogether and using secure element bound PKI [wikipedia.org] for access to critical systems. In addition to seriously raising the bar for unauthorized access, you can get generate nice audit logs of who is accessing what and when because there is no need for sharing admin passwords.

    • My company has this. Normally my passwords are massive, unweildly things.

      asdf12!@ meets all of the requirements. And when they force me to change it in 30 days. 23@#, 34#$, ....

      • by gfxguy ( 98788 )

        I had an algorithm for unique passwords for different sites that needed them that combined things about the company, myself, and various other criteria that meant I could always deduce what my password was if I didn't outright remember it. The passwords were relatively long and complicated, mixing upper/lower, numbers, and some punctuation, and were at least 10 characters long. Then we started in with the "must change your password every x days." So I revamped my algorithm to include something timely. I

        • You have a good point. Also, in addition to having multiple passwords for multiple sites, with various password requirements, you also might have multiple devices that need to be kept in sync from a password perspective. For instance, when I change my personal email password, I have to change it in my desktop email client, my android device, and my phone. It's a pain, and causes me to not do it as often as I otherwise would.

          One thing that has really come to be a lifesaver for me is a password manager (keep

      • Since you can't reuse a password and you're not supposed to use the same password on any other site and you should change your password often, every 60 days, then that means you need a shitload of distinct passwords.

        Oh yeah. And don't write any of them down either.
    • lots of outfits have wildly inconsistent rules, change periods, and prohibition types on passwords. I ought to just be able to set time to expire as well as changing everything to "asspword", and be done with it.

    • by tsotha ( 720379 )

      If I were trying to hack into your DMZ I'd be trying passwords like "January2016" and "J4nu4ry2016". If you put a policy in place like that one of two things is going to happen: people will choose passwords with the same pattern, or they'll write the passwords down. You're lucky if it's the latter.

  • Wrong? (Score:4, Interesting)

    by Anonymous Coward on Wednesday August 03, 2016 @09:12AM (#52635459)

    "Frequent password changes lock them out. "
    I was under the understanding the static passwords were an issue because they are far easier to brute force in a long term campaign, as well as a couple other reasons...

    • Re:Wrong? (Score:5, Insightful)

      by beelsebob ( 529313 ) on Wednesday August 03, 2016 @09:29AM (#52635603)

      Right, and as this article covers, that's not true. In practice, passwords that don't have to be changed regularly are much stronger, because users are willing to chose a secure password and remember it long term, rather than when they have to change it regularly, they inevitably choose pass0001, and then when they have to change it, chose pass0002, and then pass0003 etc.

      • Another part of the rationale to change passwords has to do with the aging of a seriously hashed/encrypted password-- from the days when a SHA-1 took weeks to cook.

        The rubric of the iterative, dictionary-attackable password presumes that one password leads to another, and that someone's going to program a rainbow table or dictionary attack to short-cut to such iterative devolution. Very few attacks that I've seen do this; buying a list of password cracks from say, Link-in break-ins aren't going to yield a s

  • Finally! (Score:5, Interesting)

    by mcmonkey ( 96054 ) on Wednesday August 03, 2016 @09:12AM (#52635463) Homepage

    Policies that require frequent password changes lead me to:
    - pick easy to remember (and therefor easy to guess) passwords
    - restrict the character space I use in passwords, e.g. when special characters are required I pick from only 2 special chars.
    - Reuse passwords. I have about 20 different password-protected accounts for work, all are changed every 90 days, except the one system where the requirement is 60 days. That's over 80 passwords per year. As a result I use 1 password internal systems and 1 for external, so at any time there are only 2 passwords I need to remember.
    - Write down passwords. Sometimes it seems as if just as I'm getting to the point where a password is really ingrained, where I can get it on the first try even before caffeine, it's time to replace it with a new password. So you better believe I write them down.

    Frequently changing passwords exclude adherence to most other security good practices.

    • As soon as password changes aren't part of PCI the world will be a better place.
    • Policies that require frequent password changes lead me to:
      - pick easy to remember (and therefor easy to guess) passwords
      - restrict the character space I use in passwords, e.g. when special characters are required I pick from only 2 special chars.
      - Reuse passwords. I have about 20 different password-protected accounts for work, all are changed every 90 days, except the one system where the requirement is 60 days. That's over 80 passwords per year. As a result I use 1 password internal systems and 1 for external, so at any time there are only 2 passwords I need to remember.
      - Write down passwords. Sometimes it seems as if just as I'm getting to the point where a password is really ingrained, where I can get it on the first try even before caffeine, it's time to replace it with a new password. So you better believe I write them down.

      Frequently changing passwords exclude adherence to most other security good practices.

      This is all true but password changes do reveal password compromises.

      • Re:Finally! (Score:4, Insightful)

        by Bongo ( 13261 ) on Wednesday August 03, 2016 @10:04AM (#52635903)

        This is all true but password changes do reveal password compromises.

        And having compromised tomat001 they can go straight onto guessing tomat002.

        Really, why don't banks force everyone to change the PIN on their cards every month?

        • You mean those highly secure 4 digit codes?

          The reason banks don't care about your security is because that's your problem. You can bet their internal requirements are much more strict, because internal secure is their problem.

          • The 4 digit code would be very weak against brute forcing if you had the hashed data in front of you but when you have to use their interface to attempt a code and you have only 3 chances, good luck. Additionally the fraud protection systems used by most decent banks will flag your purchase or limit your cash withdrawals. Additionally they are on camera when they do it.

        • This is all true but password changes do reveal password compromises.

          And having compromised tomat001 they can go straight onto guessing tomat002.

          Really, why don't banks force everyone to change the PIN on their cards every month?

          Obviously, reasonable password policies don't allow you to do that.

        • by Quirkz ( 1206400 )

          That's why you outsmart them by going to tombt001, then tomct001. One, that gives you 26 iterations before you've got to think up a new scheme, and two, it's *sneaky*.

      • by DarkOx ( 621550 )

        This is all true but password changes do reveal password compromises.

        Yes exactly! Forced password rotations set ceiling on how long an account might remain unknowing "shared". Lets face it breaches often go undetected for a long time, and that is a problem. Forced password rotation is in fact a detective control and a valuable one! Probably to valuable to give up IMHO. Should it be a reasonably long horizon like 90 or 120 days - yes but it should not be never.

    • Re:Finally! (Score:4, Interesting)

      by OzPeter ( 195038 ) on Wednesday August 03, 2016 @09:27AM (#52635583)

      - Write down passwords.

      I'm not so sold on the evils of writing passwords down as it requires the Evil Actor to have physical access in order to exploit it. And as we all know, once you have physical access it is pretty well game over for security in general.

      • I'm not so sold on the evils of writing passwords down as it requires the Evil Actor to have physical access in order to exploit it.

        That can be a problem in a corporate environment. I can't tell you how many times I've found a password written on a Post-It note that got taped to the monitor or underneath the keyboard. If the written password was inside a locked overhead cabinet or a wallet that someone carried, access to the network becomes a lot more difficult. Never mind that many Fortune 500 companies have policies against writing passwords down in the first place.

        • Re:Finally! (Score:5, Insightful)

          by Bongo ( 13261 ) on Wednesday August 03, 2016 @10:10AM (#52635951)

          That can be a problem in a corporate environment. I can't tell you how many times I've found a password written on a Post-It note that got taped to the monitor or underneath the keyboard. If the written password was inside a locked overhead cabinet or a wallet that someone carried, access to the network becomes a lot more difficult. Never mind that many Fortune 500 companies have policies against writing passwords down in the first place.

          I wonder how people would behave if the official policy was to write it down and put it in your wallet.

          Most people have to write down their passwords, there is just no way to remember lots of unique passwords. But if policy is "don't write it down", that's like making it policy "don't breathe", and then people will naturally say, gee this policy is idiotic, we'll just have to ignore it. Result is you're training people to ignore your advice.

          If we want people to follow the advice, we have to give reasonable advice that's practical to follow. There's still too much of this, "it's the dumb user", attitude.

          • by arth1 ( 260657 )

            If we want people to follow the advice, we have to give reasonable advice that's practical to follow. There's still too much of this, "it's the dumb user", attitude.

            Yes, and no. That users are dumb isn't an attitude, but a fact. It's what you do to compensate for users being dumb that's important. You can educate people to be less ignorant, but not to be less dumb. So you have to route around it, and presume that a substantial portion of your users are, in fact, not to be trusted with forks, buttoned shirts or remembering passwords.

            Adding easy to use and fast 2-factor authentication and easy to access password resets can go a long way. Adding physical security so

            • by ebyrob ( 165903 )

              Easy password resets are a bigger problem than never changing passwords. Nothing worse than getting my account compromised because someone ELSE changed the password.

            • by Ken D ( 100098 )

              "he should have remembered his password"

              Why? I've got 140 username / passwords in one password vault, and I've got more in another one. Over 7 different PINs or passwords that are work related.

              There is a limit to the number of PINs and passwords that you can remember, especially when the restrictions prevent you from coming up with a password that you might possibly be able to remember. And that's before you have password expiration policies kick in.

              BTW who's the moron who let's the policy expire passwor

        • I've solved the writing password policy issue. I have a private portion and hashing scheme that are static and I keep in my head. I have a public portion that changes with the password policy timing scheme that I keep on a post-it or in a notebook. I don't have to remember an obscene password and I don't have to leave a note that compromises any account.
        • by DarkOx ( 621550 )

          When I was working at an F500 on the internal security team we actually got an official policy that users *could* write down passwords iff they did so on a card kept in a wallet or purse which remains on their person outside the home.

          Most people discover quickly they have lost their wallet or purse. So they are aware the password may be compromised and can notify IT Security to lock the account / reset the password promptly. Usually people have a pretty good idea when these items went missing as well, so

      • - Write down passwords.

        I'm not so sold on the evils of writing passwords down as it requires the Evil Actor to have physical access in order to exploit it. And as we all know, once you have physical access it is pretty well game over for security in general.

        Security isn't an all-or-nothing game. While the NSA or KGB could do a hundred things to compromise your privacy or security if they got physical access, an identify thief would probably judge it not worth his effort if he stole your laptop and it had full-disk encryption. In that case, having the password on a sticky note is really bad.

    • by johanw ( 1001493 )

      At the last company I worked that required that I used "base01", "base02", etc. etc. for password with "base" a fixed part. Worked flawlessly, it defeated all checks on the reuse of passwords.

    • If your organization requires long and frequently changing passwords, try walking around the office some evening and look for post-it notes under the keyboards. You'll find plenty.
    • Well - I don't write down the whole password. But I do put a sticky on the wall that says "version 5" :-)

    • Or,

      Come up with one *really* good password/passphrase, and use it on your 1Password vault. Then give everything else passwords make up of long random strings and rotate them at whatever interval the BOFH or compliance pinhead demands. Though I'm sure there are *some* workplaces where this would be verboten, I've never worked in one. Of course, even that scheme can make my blood boil. my usual setting of 32 characters of 25% each of random capitals, lowercase, digits, and symbols often reveals things lik

    • by tlhIngan ( 30335 )

      Actually, that's half the problem.

      The other problem is that users do not pick new random passwords, but just modify the old one.

      E.g., let's say your password is "Password" 90 days later, you can bet it will be "Password1". Then "Password2" ... "Password9" and "Password0", finally probably cycling around to "Password1" again. (FYI - that password now gets you lower case, upper case and number).

      That's the real problem - password security goes down faster than the benefits of frequent password accrue. After al

  • by The-Ixian ( 168184 ) on Wednesday August 03, 2016 @09:12AM (#52635465)

    The best practice lies somewhere in the middle. Change them too frequently or infrequently and security may be decreased for different reasons.

    (This also depends on your definition of "frequently")

    I *believe* that a password change policy is necessary. However, I don't think you need to change your password every couple of months. I think once a year is good as long as you are not using that password elsewhere and that it is 12 or more characters (don't worry about the numbers, symbols, etc. Just the length is important... again, with caveats pertaining to how the password is entered, stored, transmitted, etc)

    • password length (Score:2, Insightful)

      by Anonymous Coward

      ... not using that password elsewhere and that it is 12 or more characters

      Indeed. It is not the number of possible characters, C, from which the password is created, but the number of characters, N, that the password uses: The number of possible combinations is C^N which is polynomial in C, but exponential in N. (Thus, increases much faster with N than with C.) Adding a few "special" characters doesn't do nearly as much as adding length. That doesn't even really prevent dictionary attacks as most of the time the user only adds a 0, 1 or ! suffix to a simple word-password.

      Per

    • by Dr. Evil ( 3501 )

      "as long as you are not using that password elsewhere "

      Password reuse like this should be absolutely forbidden. It's ridiculously insecure.

      Password change policies depend on the service being protected. Very few benefit from changing. E.g., shared passwords such as safe combinations, door passcodes. Encryption keys such as those used for offline backup sets (nobody who worked there 10 years ago should know the current passwords).

      When you don't trust the service provider, data breaches, such a

  • by Kkloe ( 2751395 ) on Wednesday August 03, 2016 @09:14AM (#52635479)
    last password: Spring01
    new password: Spring02

    mora than 2 password to change now and then, advice from seniors, put them on a txt-file on the desktop
    • Works until you cannot reuse even parts of the previous passwords.

      So then it's probably going to be

      Spring01
      Summer12
      Autumn23 ...

      • What will you do on the 5th password? :)

  • 2016 best practice? (Score:4, Interesting)

    by sirber ( 891722 ) on Wednesday August 03, 2016 @09:15AM (#52635499)
    Use an offline password manager that generate random strong passwords, like keepass.
    • by Striek ( 1811980 )

      Which is great, until you run into a shitty interface that won't let you paste a password.

      Windows 7 RDC comes to mind as a huge problem in that regard...

  • Making your own passwords is the bane of computer security; as I said on the most recent LastPass vulnerability article on Slashdot, it leads to very weak passwords, password re-use, written down passwords, forgotten passwords (inevitably reset through an insecure, unauthenticated email verification), and lots of other nasty things.

    If you use a good password manager (or some similar tool like a hasher), then how often you have to change your passwords is entirely irrelevant, because generating a new one
  • by h4ck7h3p14n37 ( 926070 ) on Wednesday August 03, 2016 @09:16AM (#52635505) Homepage

    Some of these questionable policies are driven by business regulations and auditors. If you're going through a PCI or Sarbanes-Oxley certification process you're going to have to get all of those checkboxes marked on the auditors' spreadsheets, whether or not they make sense.

    Good luck trying to get the auditor to explain why you need to change your passwords every 90 days, in my experience they can't defend their requirements and simply say things like it's "best practice".

    • Some of these questionable policies are driven by business regulations and auditors. If you're going through a PCI or Sarbanes-Oxley certification process you're going to have to get all of those checkboxes marked on the auditors' spreadsheets, whether or not they make sense.

      Good luck trying to get the auditor to explain why you need to change your passwords every 90 days, in my experience they can't defend their requirements and simply say things like it's "best practice".

      It is only to limit how long a compromised password can be used without being noticed.

    • We had an audit recently. The guy was a recent accounting graduate and had no freaking idea. PHBs wanted boxes ticked, he didn't care, we didn't care, so we said whatever we had to to help him complete his paperwork and move on. Everyone was happy.
    • by zifn4b ( 1040588 )

      If you're going through a PCI or Sarbanes-Oxley certification process you're going to have to get all of those checkboxes marked on the auditors' spreadsheets, whether or not they make sense.

      You hit the nail on the head. PCI and SOX audits aren't going to get you good security. Just because you read XYZ in a security book is a good practice doesn't mean you're going to get good security either. These things might get you slightly better security. What's really going to get you good security is to hire a firm to do a real penetration test. That's the only way you find out and then from those results you can actually identify the measures that need to really be taken to truly increase your

    • by ADRA ( 37398 )

      All sarbox cares about is that you have a process, even if its to do nothing. I'm not sure if PCI is strictly required to have a password rotation policy, but there shouldn't need to be too many people in an organization required to take steps to be covered (depending on the company). Only a very limited subset of a given company should have direct access to user data in the first place. If they're put on a special policy list due to regulation, then so be it.

    • Some of these questionable policies are driven by business regulations and auditors.

      This is absolutely true, but these business regulations should be driven by competent security. That's why things like this are good. Security is still an industry in its diaper-wetting infancy. Somebody took a practice most of us have accepted as good and actually subjected it to scrutiny, actually tested it, and found it to be wrong.

      in my experience they can't defend their requirements and simply say things like it's "b

  • by geekmux ( 1040042 ) on Wednesday August 03, 2016 @09:26AM (#52635571)

    ...for one main reason. Can anyone tell me how the insider threat risk has changed in the last 6 years?

    Take a look at the last few major hacks within corporations and social media networks. These haven't been minor breaches where a little bit of data was taken. No, we're hearing about millions of accounts leaked, and terabytes of data stolen, with Sony being a prime example of an inside job.

    The entire point here is frequent password changes DOES have a purpose; to mitigate the risk and damage of internal attacks, as outlined in TFS. If the insider threat risk has changed significantly in the last half decade, then the advice to change passwords often IS the more valid one.

    And as the Ashley Madison analysis revealed, it really doesn't fucking matter how often we tell users to change their passwords when they continue to pick horrible ones that require little more than a guess to "crack". Sadly, this trend has not changed in the last few decades of humans typing in passwords into computers. This is probably the strongest argument to remove the concept of human-generated passwords altogether, and go with some form of biometric-enhanced authentication.

    • Comment removed based on user account deletion
      • If it's going to be rendered as a hash anyway, what's the difference between that and a bad password?

        A decent amount of salt. That's the difference. I can't help it that the world's most popular operating system continues to be plagued with backwards compatibility issues that all but destroy the notion of implementing a 30-year old security enhancement that would tend to render password cracking tools useless.

        Why invest in expensive hardware that will be circumvented anyway? Six months after any technology is mandated, someone finds a workaround and the hardware is useless, whether via writing around the edge with a Sharpie or using a 3d printed eyeball.

        And yet we've been successfully and securely using two-factor authentication with hardware tokens for quite a long time now (as in decades). Certain security models manage to last a hell of a lot l

      • by DarkOx ( 621550 )

        summer16! | md5
        0a336b32a5ffad8dd06f7b245b63513e

        What the GP is suggesting is that you hash your password than submit the hash as if it was your password where it will be hashed again by the system/site/etc.

        Most password cracking efforts are not actually brute force, they use large word lists, and than apply whatever hash method and apply salts the leaked system used. Often these word lists are many gigabytes but still way smaller than the entire key space. So while summer16! is certain to be on someones wo

        • Your post is correct and I agree with it, but I'd also bet that biometric systems produce 'passwords' that are far from random, and depending on the system, I'll bet you could in some cases reduce the search space enough to brute force it.
  • In a perfect world where everyone has a photographic memory, we would change all of our passwords ever 30 days and be better for it. In the real world, people are often tasked with remembering the passwords for dozens of accounts with different password policies, different change policies, and differing security needs. This causes frequent forgotten passwords (leading to overuse of password recovery tools, easy to guess passwords, and password reuse.

    In theory, you could simply use good mnemonic devices fo

  • It improved security for me. It forced me to go from "password" to "password1". I'm up to "password7" now
  • by wbr1 ( 2538558 ) on Wednesday August 03, 2016 @09:59AM (#52635841)
    I guess I am a hipster. I was failing to reset my passwords before it was cool.
  • Comment removed based on user account deletion
  • by crow ( 16139 ) on Wednesday August 03, 2016 @10:09AM (#52635949) Homepage Journal

    I have several passwords that require a "special" character. I've found it frustrating on the occasions when I need to enter these on my phone, having to switch to the symbols to enter my password. Now if a password requires a special character, I use one that is part of the default keyboard, which limits it to using a period.

    Special character requirements might be fine when using a physical keyboard, but mobile devices change how people will use them.

    • My favorite special character story comes from a friend who works in a call center. She had to help someone not computer literate at all set up an account on something and that service required a special character. She asked the caller what special character they wanted to use. Their response? "Minnie Mouse!"

  • I've been reading these articles about password security for 15 years on slashdot primarily. The TL;DR on passwords is that they are just not a panacea for security. Europe realized this quite awhile ago AFAIK, smart card readers are still being used as a means to do muti-factor authentication for people on networks and the internet, etc. It's a lot more convenient than remembering a password that is a gagillion number of characters long with a password policy that makes it impossible to create a passwo

  • by CQDX ( 2720013 ) on Wednesday August 03, 2016 @10:44AM (#52636237)

    Every company I've worked for forced us to change passwords regardless of complexity. So I, and probably everyone else, used a simple phrase with a number to increment. I would have liked it if I picked a long, complex, hard to crack password that I'd be rewarded with a longer period before requiring to change my password. Would this make sense in practice?

  • I have a powerful computer on my desk. Why can't it handle passwords? The browser software could communicate with the server it's trying to attach to and negotiate a new password with the client when the client logs off. Except for the initial login onto my desktop, the computers would handle the passwords. I understand that this is what the chops on my credit card do now. The current passwords could be stored in a database on my computer that I could access through something like keepass if I had to find t
    • That's fine if you are accessing the sites only from a single computer. Otherwise that database has to be uploaded somewhere else you'll need to reset your password when you try logging in from another machine.

      Windows does have a built-in credentials manager that pretty much no one uses. OSX has a keychains password vault.

  • Your password is expiring in 10 days. Click here [youtube.com] to change your password now.

  • How about a policy which says if you pick a short password you have to change it every XX days. If you pick a 12 character complex passcode, you get to keep it for 3 years?
  • Just tested logging out and back in, I'm still using the same password for my Slashdot account I've had for far too long (the password that is.) In fact, it is my 2nd oldest password still in use, my oldest password of course being a scorned 5 letter password not accepted in modern Internet society. :(

  • Years ago I worked at a defense shop that got the idea people were using passwords that were too easy to guess. So they assigned your password every 30 days. You get assigned something like "3z~L8;GS=4", which would be changed before you could remember it without some kind of mnemonic trick ("Three Zebras Tried Laughing..."). After a few months you'd start mixing up the current password with passwords from last month or the month before.

    Anyway, they finally did an audit and found something like 70% of

When you are working hard, get up and retch every so often.

Working...