For those who work at corporations with password rotation policies, it may actually be a good way to get creative. This guy changed password rotations into a lifehack:<p><a href="https://medium.com/the-lighthouse/how-a-password-changed-my-life-7af5d5f28038#.dlynk50b7" rel="nofollow">https://medium.com/the-lighthouse/how-a-password-changed-my-...</a><p>Previous discussion on it: <a href="https://news.ycombinator.com/item?id=8015470" rel="nofollow">https://news.ycombinator.com/item?id=8015470</a>
This reminds me of a story I read about the NHS (National Health Service) here in the UK.<p>Some edict came through that scans had to be stored and accessed digitally. There were numerous teething problems in accessing the system, so a brain surgeon was going nuts running back and forth across the hospital trying to do his work.<p>A nurse in another department said he could use their consultant's login with the password 'fuckoff'. He ran back to his own desk, no go. So he went back and they said, "Ah, he has to keep changing the password each week so try fuckoff45" because the system had been set up almost a year prior. It didn't work, but after realizing more time had passed, he tried "fuckoff47" and it did the trick(!) Note that the problem here wasn't just the password but that sharing <i>entire logins</i> was/is rife.<p>(Update: I've found a reference to the story at <a href="https://www.theguardian.com/books/2014/mar/30/do-no-harm-stories-brain-surgery-review-henry-marsh" rel="nofollow">https://www.theguardian.com/books/2014/mar/30/do-no-harm-sto...</a>)<p>(The NHS is full of fun IT-related stories. Another was that due to patient privacy laws, <i>keys</i> to access scans had to be sent under separate transport. So you'd end up with situations where two couriers would be delivering separate USB sticks each to access a single scan.)
Does anyone aside from HN type folks listen to these recommendations?<p>I just had a major banking institution send me a plaintext pw instead of reset token, with a 15 char limit, and a rotation requirement.
Does anyone actually have data showing that frequent password changes lead to better security?<p>Because to me requiring frequent password change seems like the ultimate non-technical management blunder: management wants to say they did something to prevent hacks, so they ask IT to require password changes; IT doesn't want to be blamed so they implement it; users comply with the requirements but can't remember their new password (and don't really care about the company's security in the first place), so they come up with something insecure and keep it somewhere even less secure.
At a client's who requires frequent password changes, people simply write out their passwords on post it notes that they stick onto their screens. Some security. (That's a bank, by the way).
There is also the matter of cost-benefit analysis of time spent updating passwords. Where I work we have a special code that has to be typed in by logged in members of the team if they want to really delete a transaction, this code is the same for all members of the team. A manager sets this code to expire on a monthly basis because a new code will be good for security, apparently. In reality this means that on the first of each month a team are locked out for an hour or two whilst the new code gets generated and circulated - in email. So there is a misunderstanding on security plus an implementation issue leading to disruption equivalent to the loss of a person's productivity for a day.<p>A similar scenario of disruption happens if you use lots of devices and need to update a password on several boxes to get working again. There may not be the communication overhead of my special code analogy (which is invariably delayed due to waiting for the manager to get out of meeting), however there is still disruption and time taken out from the task in hand.<p>As an aside, I like 'ambient' passwords, e.g. the VAT number on the receipt that you got given buying your lunch, the receipt can be kept in the top drawer - safe from the cleaner - and, if it is lost, you can go to the shop again to get another receipt.
I suspect that the requirement of (1) changing the password every <i>n</i> days, (2) new password cannot be the same as previous <i>m</i> passwords (usually, m=10) leads to insecure passwords for most.<p>I've seen people <i>handle</i> such requirements by creating an initial password, say p@$$w0rd and then appending a digit to it. On any subsequent mandatory password change event, they <i>increment</i> the new password from p@$$w0rd0 to p@$$w0rd1.<p>Not sure if it leads to anything more secure.<p>Wish more people started to use GPG based password store such as pass [0].<p>[0] <a href="https://www.passwordstore.org/" rel="nofollow">https://www.passwordstore.org/</a>
Not news to anyone in the security scene, especially as a 30-90 password lifetime disincentives people from actually creating a complex password so they'll do stuff like Sp0useName02 that technically meets the complexity requirements, but is horrendously insecure.
I've never met anyone in the corporate world that does <i>not</i> suffix a digit to their password that increments with each mandatory password change. Most people start with "foobar"[1] then become "foobar2", "foobar3", etc.<p>[1]: <i>Or maybe "Foobar" (because you need a capital letter) or "Foobar!" (because you need a capital letter and a non-alphanumeric letter).</i>
I also hate to have to mandatory change my password. I am paranoid, never used 2 times the same password for somewhat important account and have a mental trick system to remember my password. When asking for a password change, it's fucking it up. Looking at you Linkedin and Paypal. Thansk for crappy security and annoying password policy.
I usually deal with this by appending the month and year of the change to a secure password. Broken if the secure password is revealed, but no less secure than no rotation policy.<p>Where I work, we change passwords every 90 days, but every password other than full disk encryption, login and password manager are auto generated by password manager, so this mechanic is less of a concern.
I have worked at a US DoD "secure facility". You can imagine the requirements they imposed on password length, characters, frequency of changing, uniqueness, etc. Perhaps you can also imagine that nearly everyone kept their current password written on a sticky-note somewhere in their desk.
This is echoed by CESG (part of GCHQ) in their password guidance: <a href="https://www.cesg.gov.uk/guidance/password-guidance-simplifying-your-approach" rel="nofollow">https://www.cesg.gov.uk/guidance/password-guidance-simplifyi...</a>
I usually just make up a crazy long sentence I'll remember, with no logical order in it. Something funny to me so I'll easily remember it. Throw in some assortment of numbers and symbols. Bam! Works like a charm!
To prevent people doing this just throw in a string similarity algorithm into your password-change UI.<p>if similarity(old_password,new_password) > 50% then reject password change...
The point of changing your password is to counteract any hacked passwords, I think.<p>But WHY ARE YOUR PASSWORDS BEING COMPROMISED?<p>That's what you need to address.
It's a double sword. The true issue with frequent password change is people really don't want to be creative. They ended up either changing one letter, or adding an extra letter. At least do a quick distance check and deny password at 90% similarity.