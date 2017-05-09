NIST's Draft To Remove Periodic Password Change Requirements Gets Vendors' Approval (csoonline.com) 49
An anonymous reader writes: A recently released draft of the National Institute of Standards and Technology's digital identity guidelines has met with approval by vendors. The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies. The new framework recommends, among other things: "Remove periodic password change requirements." There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach.
I welcome the return to sanity.
Yep. They do this where I work, which leaves me with very little choice but to write the password down on a little yellow sticky note because I'm forced to keep changing it to things I'll never remember.
Or you could do what most people do and keep the same password and affix "1" "2" "3" to the end of it every time they tell you to change your password.
even windows server won't let you do that with a simple AD configuration change
even windows server won't let you do that with a simple AD configuration change
Just using "one" "two" "three" will usually be enough of a difference to get past most password uniqueness policies
I imagine he/she meant a rotating sequence of numbers to make it unique and non-repeating. However, many systems, while allowing long(er) passwords, limit the significant characters so I recommend putting the non-unique part first rather than last.
Yeah it's terrible, but it's Windows (Score:3)
> How would a properly secure and safe password system know if you new password is only slightly different than your old one?
it wouldn't. A sane system would store a salted hash of the password, so a bad guy can't download ALL of your damn password.
> If it can tell a minor change then it is not a good password setup
Right, it's a Windows password setup. *nix systems were more secure than that in the 1970s.
> d keep the same password and affix "1" "2" "3" to the end of it every time they tell you to change your password.
That's retarded.
Append the MonthYear that it expires on.
i.e.
> very little choice but to write the password down on a little yellow sticky note
Why aren't you using a password manager like KeePass or KeePassX and just remembering one passphrase to access all your other passwords???
* http://keepass.info/ [keepass.info]
* https://www.keepassx.org/ [keepassx.org]
What if... (Score:3)
Multi-factor?
Well two things (Score:2)
1) If that is a big concern, use multi-factor. When real authentication security is important, multi-factor is important. You can't go and say an account is super important and needs high levels of protection but then refuse to go multi-factor.
2) How long are you ok with an adversary having access to your systems? Is 6 months ok? 12? Those are usually what you see password change requirements set at. Are you really ok with someone having unauthorized access to your systems for 12 months, but that's it, any
Finally! (Score:1)
My previous position was in a company that had a 45 day password expiry policy. My password was only as complex as it had to be to fit the rule but wasn't very good.
My current position has a 6 month expiry. I use a much stronger password.
This is common sense to me.
LK
You use a much stronger password. The average user would use "123456" and never change it unless a system forced them to.
Understanding the behavior of the average user is common sense, especially when considering adapting this "new-and-improved" suggestion.
Sudden breakout of common sense (Score:2, Interesting)
Randomly generated password of any given strength has the same probability of being guessed as any another equivalently strong random password. Only reason for strong password change is breach. Oh, and, my favourite pet peeve: common requirement that passwords must have some minimum number of characters from few subsets of all printable characters actually makes them much weaker.
Only works with single sign on (Score:2)
If you have a really well-connected single sign on environment in place, standardizing on a single password that you have to change periodically makes sense. Where it breaks down is when you have a million passwords scattered across different services (internal or external.) If you have to change those over and over, you end up recycling passwords or writing them down, or storing them in a password vault tool (which is a bad idea given how many vulnerabilities have come to light on those.)
In fact, with SSO
password123
hunter2
Management Reaction.. (Score:1)
I would welcome management that was actually in tune with our password insanity. Some logins are 3 months, some never, and most have different sets of rules as to min or max length, characters, etc.
I have different logins/passwords for:
Windows
Linux
Travel
Payroll
Proxy
Training (forgot)
IM (forgot)
Our internal Facebook clone (forgot)
VPN
Internal cloud storage (forgot)
Building entry code
Laptop encryption
and a couple more (counted 14 total a while back, but now I forgot some).
Guess how many of those are good and s
Sounds like what you should actually welcome is a password manager. I couldn't tell you any of my own passwords even under duress because I use a system where I don't have to remember any of my passwords (and could never do so, since they're obscenely complex and well beyond any recommended length). Two-factor protection is in front of that system, with a single complex passphrase to remember.
Makes life a hell of a lot easier.
Thank God (Score:2)
Honestly, if you aren't doing two factor at a MINIMUM, then you are wasting massive amounts of time and money in security theater.
By combining a physical token, even a cellphone, you get far more security then depending on something that is most likely written down.
So, you enable two-factor where you get an SMS, or add your mobile number to facebook / google, then you drop your mobile phone, which doesnt have a pin for the simcard. Someone finds the phone, takes the sim out, figures out the number, does a password reset in facebook / google using only the mobile number, and now basically owns you because they have access to your gma
First, cellphone is the worst two factor, not the advisable one.
Second you do NOT use the same password - two factor or otherwise for Facebook, Google, and work. If it is a work two factor, then there IS a password in the sim, because people aren't as stupid as you think they are.
Third, the time limit is pretty steep as you need to use most passwords daily. It is most likely attached to your keychain, not in your phone. In any case, It is extremely UNLIKELY that you won't notice it is gone within 12 ho
2-factor can cost 10 cents per login (Score:2)
By combining a physical token, even a cellphone, you get far more security then depending on something that is most likely written down.
When done poorly, the user needs to pay a dime to his cellular carrier every time he logs in. Low-end cellular plans in NIST's home country charge for both sending and receiving text messages.
Google Authenticator and other TOTP apps can be used without charge provided the service supports TOTP and the user carries a device that can run a TOTP app. But I know several people who still carry flip phones that have no TOTP app. And last time I checked, Twitter's second factor supported only SMS, not TOTP.
Biometrics are great for identification, but very, very poor for authentication. As soon as this finally settles in, we can start talking about using it.
Thank GOD (Score:2)
I'm ok with this
What happens when you ASS-U-ME (Score:2)
"... this guideline was suggested because passwords should be changed when a user wants to change it...
Here let me tell you how often a user wants to change their password.
Never.
Oh wait, that's not quite right.
Fucking Never.
Perhaps NIST should learn to factor the security impact when they ASS-U-ME what users want to do.
Sanity (Score:2)
It's funny (Score:2)
Ass Covering, Delusional Password Policies (Score:2)
Seriously, fuck you, to any site admin who contributes to this.
Real people can remember 2 or three passwords and that is all they will bother to remember. They will have maybe 2 long term secure passwords for things they personally value (and guess what, work isn't one of those things) and they will reuse the same password or variants of it on every single other system they use. No user will memorize a new password if they are expected to change it regular
End to golf1, golf2, golf3...golf486 passwords (Score:2)