← Back to context

Comment by hashstring

2 days ago

There’s another closely related one, changing passwords periodically.

A lot of infosec authorities move away from this.

However, I always wonder, does it make sense for an org to stop with periodic password resets if: 1. the org is not very capable in detecting all account compromises; 2. in practice, users leak their passwords (e.g. by getting phished) and not all of them lead to direct intrusions, some credentials are sold first and it may take weeks/months to cause an intrusion.

I believe that in practice, forced password changes at least ensure that unknown compromised passwords will become outdated at some point in time, and I think that this is positive.

Ultimately, I believe the best thing to do is to move to FIDO2-authentication here.

But I do wonder what are other peoples takes on this topic?

2 comments

hashstring

Reply
awesome_dude  2 days ago

> I believe that in practice, forced password changes at least ensure that unknown compromised passwords will become outdated at some point in time, and I think that this is positive.

password

password1

password2

password!

Password1!

People get predictable on how they modify their passwords when that policy is instituted. Mostly because it's a royal pain in the ass to have to generate a new password AND remember it.

That was one of the reasons that browsers (etc) began offering users randomly generated passwords that either the browser, or a 3rd party tool/service recalling the password on demand.

However that then means the password to the browser/service becomes the unchanging password...

> Ultimately, I believe the best thing to do is to move to FIDO2-authentication here.

Passkeys are an attempt to circumvent this by having (effectively) a key that's attached to some physical device that the user must have access to to prove that they are the authorised user... but... people are circumventing those by storing them in cloud services... which means that the password to the cloud service is... yet again.. the weak point.

> But I do wonder what are other peoples takes on this topic?

For my money, the problem that's being attempted to be solved is unsolvable.

In the physical world we determine identity by citing documents that verify the identity as far as a trusted institution like a government or bank is concerned, and those documents are predicated on documents that may or may not exist (birth certificates) and the assurance that those documents are for the person presenting them, from other people that have been through the same procedure.

The digital world is even more difficult to prove identity with, because everyone looks exactly the same, ones and zeros, the order might be different from one person to another, but they're mutable.

  • hashstring  1 day ago

    On the password1, password2, password2! flow, yes this happens and is bad, but not everyone is like this. I would say, any change (even a weak one) to a compromised password helps (even a bit). Because it requires attackers to test more passwords, providing more opportunity to detect them.

    I agree, on moving the weak point to certain service providers when doing this.

    Unsolvable: hm, but isn’t the idea to make it more secure, not necessarily solve it completely?