← Back to context

Comment by tonymet

2 days ago

Yahoo published these findings over 20 years ago , that frequent re-auth made customers less secure because it encouraged poor password hygiene like short passwords, writing them down, etc.

It's also risky to have the primary password credential transmitted instead of temporary tokens.

8 comments

tonymet

Reply
al_borland  2 days ago

On the side of things, the risk of never needing your password is people tend to forget it.

Just the other week I was helping someone setup a TV and they thought they didn’t have an Amazon login, because they never needed to login. This was a Prime member.

1Password defaults to having users reauthenticate every 2 weeks. I do find this a bit annoying, but I find the occasional reminder of my password to be a necessity evil. Even doing it every 2 weeks for years, there are some days I have trouble bringing it to the front of my mind. And that would mean a hidden piece of paper somewhere with the password written down in case it’s forgotten. As I get older I should accept the idea that I should have these emergency systems in place if my mind does go, but it makes me uncomfortable.

  • tonymet  2 days ago

    It's a good point on password usability. Signal app periodically prompts you for the encryption PIN to make sure you don't forget it.

    I think this should be handled out of band of the login process. Similar to "is xxx still your phone number?" -- companies could do periodic password hygiene and freshness checks.

    Context matters. Companies forget that people are trying to get something important done, and blocking them for other attention is a huge frustration.

    • cesarb  2 days ago

      > Signal app periodically prompts you for the encryption PIN to make sure you don't forget it.

      At least Signal does not block the app until you enter the PIN. WhatsApp forces you to enter it before you can reach your messages, which not only is annoying when you're in a hurry, but also forces you to type the PIN even when you're in a place where it might be seen by someone else.

      On the other hand, on Signal it's possible to leave the warning forever at the bottom of the screen without acknowledging it and typing the PIN, which kind of defeats its purpose.

      2 replies →

  • nijave  2 days ago

    Our work SSO is set to 12/24 hours in most places which seems like a decent compromise. Auth once a day

    In a corporate environment, ideally your workstation password is tied to SSO and you have a short but reasonable lockscreen timeout where you need to re-type your password.