← Back to context

Comment by xp84

2 days ago

Password rotation does nothing more than get you to use

  1234abcd@
  1234abcd@1
  1234abcd@2
  1234abcd@3

I'm becoming pretty convinced that at least in the corporate space, we'd be way better off with a required 30 character minimum password, with the only rules being against gross repetition or sequences. (no a * 30 or abcd...yz1234567890 ). Teach people to use passphrases and work on absolutely minimizing the number of times people need to type it by use of SSO, passkeys, and password managers. Have them write it on a paper and keep it in a safe for when they forget it.

This is a better use of the finite practical appetite for complying with policies than the idiotic "forcibly change it every 90 days" + "Your 8 character password needs to have at least one number, one uppercase, and one of these specific 8 characters: `! @ # $ % ^ & *`"

By the way, to quote Old Biff Tannen, "oh, you don't have a safe. GET A SAFE!"

26 comments

xp84

Reply
tharkun__  2 days ago

Don't tell them. I don't want to have to enter 30 characters. And it does not help for the people you'd need it for anyway.

    1234567890a1234567890@1234567890

Better?

No, just longer to type. You can't fix stupid people by making the life of non-stupid people worse.

All you do is for non-stupid people to stop caring and do the easiest thing possible too.

  • MrDrMcCoy  2 days ago

    That's why we recommend passphrases. That 30 character requirement becomes much easier when it's 3-4 words with a separater. Faster to type, too.

    • tharkun__  2 days ago

      Which does nothing for the "stupid people". I.e. the ones that we put these rules into place for. They'll do what I posted instead (or something else easily guessable and the cycle continues - technological solution to a people problem, i.e. doesn't work)

      2 replies →

  • wycy  2 days ago

    Correct-horse-battery-staple!! is 30 characters and quick to type

    • tharkun__  2 days ago

      Which does nothing for the "stupid people". I.e. the ones that we put these rules into place for. They'll do what I posted instead (or something else easily guessable and the cycle continues - technological solution to a people problem, i.e. doesn't work)

bigfatkitten  2 days ago

In the corporate space you should move away from passwords entirely.

Smart cards have had pretty solid ecosystem support for the past two decades thanks to the U.S. Government and HSPD-12, and now we’ve got technologies like webauthn that make passwordless authentication even easier.

osigurdson  2 days ago

In the enterprise, the cost of inconvenience to users is effectively zero. Perhaps even negative as security theater can be a pretty effective way to convince management that something is being done.

eru  2 days ago

There's one weird trick to get people to have strong passwords (even if you force rotation): don't allow them to pick their own passwords. Randomly generate the passwords for them.

  • pixl97  2 days ago

    Also don't allow them to copy paste the password. And especially don't allow them to use any kind of password wallet. They will really love you for this and you won't get an excessive number of calls to reset forgotten/lost passwords.

kobieps  2 days ago

Preach. Gmail doesn't force password rotation, and one can just imagine the type of attacks they must sustain...

Unfortunately corporate policies evolve at glacial speeds...

Retric  2 days ago

I’m doubtful a 30 digit minimum password is a meaningful improvement over a 20 digit password here. Meanwhile actually typing in very long passwords adds up across a workday/year especially with mistakes.

  • xp84  2 days ago

    I think if done right, typing that password should be more like a once a quarter exception rather than a daily occurrence.

    Granted - there are blockers to getting there. IDK why for example, macOS can't use Touch ID from a cold boot, that's stupid, at least when there haven't been too many failed attempts or anything.

    • zimpenfish  1 day ago

      > macOS can't use Touch ID from a cold boot

      Isn't that because the Secure Enclave (the only place which contains the Touch ID biometric data) is locked by your password?

      "When a user's password is set up on an Apple Silicon Mac, the password is passed through a one-way hashing algorithm that produces a key used to encrypt the Secure enclave's key."[0]

      [0] https://blog.greggant.com/posts/2023/04/14/the-security-encl...

    • Retric  2 days ago

      Touch ID isn’t that secure. It’s fine for personal devices, but I wouldn’t trust it alone in a government or cooperate environment.

      A ~1:50,000 error rate per finger added sounds fine, but lose a few laptops and have multiple valid fingerprints etc and the odds quickly look significantly worse. Or a janitor could end up trying to log into a significant number of machines etc.

  • imtringued  1 day ago

    You're only supposed to type your password at most once a day to sign into SSO.

    • Retric  1 day ago

      Then how do you suggest authenticating not just in the morning but after lunch, going to the bathroom, any physical meetings, etc?

TZubiri  2 days ago

"Your password is too similar to your previous password"

Hmm, how would you know that.

  • Uvix  1 day ago

    Don't you generally have to enter the current password to change it to a new one?

    • TZubiri  1 day ago

      Interesting. I guess you could do it on the frontend by asking for old and new passwords simultaneously and sending the hashes to the backend.

      That said, it means that you can skip this check by hacking around the front end check haha

  • tharkun__  2 days ago

    By making it less secure. Like those auth schemes back in the day that sounded great in theory until you figured out that in order to implement them the provider had to store them un-hashed. No thanks.