Can we get rid of the password expiration too? Requiring that users change their perfectly secure password every 6 months is absurd and gives the impression of security when in reality it only makes things worse.
Banks are aware that NIST and various other bodies have updated their guidance about password expiration. Even vendors like Microsoft who supply extensively to financial services, have updated their guidance about password policies.
At this point — barring edge cases of operating in geographies where regulations haven’t caught up — it’s just inertia, aka “inaction doesn’t get you fired (usually)”.
I have been in three different organisations now with this same excuse, and actually called their insurer to clarify. In all cases, the insurer asks the password policy such as expirations. Complete absence of a written policy is a problem. Non expiring passwords was not.
Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.
One hundred percent. I’d be interested to see how many people resort to having weaker passwords just to try to remember the new password every 6 months. I know many folks are proud of their password ‘system’ of using the same word and adding different numbers every time they need to change it. Not helpful.
If the website gets one of those it works. If they get multiple example of the password systeem in action, how hard would it be to guess elsewhere? You might not even remember that you've used one variation before.
I keep a long list of strong passwords and some 50 pins in my head, at least I think I do.
I know a guy who regularly gets locked out of things. It's a terrifying process. Everything unravels.
What usually happens to me is, I get stuck where whatever service I'm using insists the password must be changed RIGHT NOW before proceeding. There was something I was trying to do. Maybe I don't have a pen, I'm on my phone, whatever, I don't have time for this shit. I need to change it to something I will remember, which is something like "Password1". Maybe I remember to pick a better one later, maybe I don't. Maybe (looking at you, Okta) I can't change the password because I changed it too recently...
Password1, Password2 ... Password123456789 - I can do this all day. And realy you should as a password you can easially remember is a bad password so the first part that doesn't change is the important part
This is fine for services you can easily access on a phone or computer.
My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.
I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.
My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.
I once joked (I think because my employer had a similar, crazy requirement) that my keyboard's firmware was programmable, and I could just reprogram that FW so that Level3Shift+some key would rattle off the month's password.
Believe it or not, "Yubikey" security keys have about 8 different configurable modes. One of them is "emulate a USB keyboard and enter a static password".
So not only could you implement your idea - you could also tell people you "log in with a yubikey" and they'll think you're at the forefront of security.
The only solution to this problem is to put your password on a post-it note in the most obvious place possible? Are we sure the CISO is the idiot in this story? This sounds like malicious negligence. I sure hope nothing that actually matters is on your system.
Well, a TPM would eliminate this user-hostile auth dance, although that security model is different than a password.
Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.
There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.
I think it’s valid to question the wisdom of a CISO using misguided password guidelines. I don’t think it’s valid to respond to guidelines you disagree with by willfully sabatoging security. You relinquish your righteous position on password security when you put your password on a post-it in your laptop.
You call it "willfully [sabotaging] security," I call it "the best alternative that doesn't leave me with a 30% chance of forgetting my password every 60 days."
1Password is smart enough to let me have a secure, non-leaked password of high complexity that I have memorized, then let me go years without resetting it. I started there and the policies have made my laptop progressively less secure over time.
It just so happens that the best alternative you could think of is literally the worst alternative anybody could think of. If I didn’t know better I would call it wilfully bad and chosen more to prove a point than for any other reason.
Reads like you are trying to argue for abstinence only education here. The reality security must operate in is that the best security policies are those that people don't circumvent.
If people have to resort to sticky notes, sharing credentials, scripts that automatically update a file containing a plaintext credential, or what have you, odds are that security has massively fumbled the ball.
Keep in mind this is already intuitive enough for everyone, even the security minded, within some set of social and or professional norms. No one uses one time pads for common password based authentications, nor do they rotate passwords daily, nor do they require 64+ characters. We don't do this because its obvious to everyone that business would be too great, and people simply would not comply. Many security teams seem interested in pushing that boundary as far as they can without regard to what the probability density function of compliance actually looks like.
I say this as my password for Nationwide Children's Hospital has officially become the first password to cross that line for me, and now lives in a paper notebook. Forced reset, 2FA mandated, requiring 15 characters, upper, lower, number, and special char (but only a subset of special chars).
Maybe its overkill that the place I go to fill out questionnaires about baby poop, has minimum password requirements such that the entire world's computer would take over 10,000 years to crack.
If it’s too much to take then it’s too much to take and nobody can argue with that. When that happens, you resort to something more reasonable. Putting your password in a notebook, for example. Putting it on a post-it note on your laptop is not that reasonable alternative.
I have 25 years of enterprise-level web application development experience. I passed the CISSP on my first try with minimal study. I read RFCs for fun.
And yet I can't even get a screening interview with an actual human (although my one AI interview asked surprisingly competent follow-up questions).
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
And expect people to still implement it in the future, based on documentation from some consultancy that hasn't disseminated the new recommendation internally to their implementation engineers.
