Shifting from passwords to more secure systems such as MFA ignores the elephant in the room about passwords that no-one wants to acknowledge: People share passwords.
A simple example is this: A couple do online grocery shopping every week or so, depending who has time to do it, one them will log into the 'account' and build the basket. Maybe the other will then amend the basket a few hours later before the cut off time. With enforced MFA, this is not possible.
There will always be a small percentage of situations where '1 person = 1 account' will never be true. Until providers add the concept of multi-logins to the same 'account' on their systems you can't wholesale move to stronger security methods.
I have the same issue with all these 'smart home' products that need an app installed onto a phone or tablet. A lot of them are bound to a single account, which means if other people in the household also want to have the app, you have to share your account details. if it's a Google or Amazon product, that means you are sharing account details of an account that you really shouldn't be.
YouTube has this problem to an insane degree, some large businesses are run from a single person's long standing Google account and there's no way to give another YouTube account any privileges you might want an employee to have without giving them access to your entire Google account and all attached services including your emails, the ability to locate and wipe your phone, all the photos on your phone via Google photos, your calendar for it's entire history, I could go on.
It's completely insane, and the closest they've gotten to adding anything like this is letting people have comment moderators on live streams, not videos where people have wanted comment moderators from day one, just live streams.
I agree sharing passwords is a really common thing, even among corporate / enterprise SaaS. Even with MFA people share dongles / code pads.
But the correct pattern is a formal system for delegation and/or disconnecting 'login' with 'account' (i.e. separate charging for a service from the login). This is something that AWS does very well for example.
MFA does not mean no sharing. It is trivial to setup up multiple credentials for the same account. You can easily have two different fingerprints setup as 2FA from two different devices for the same account. Most services let you have backup codes and dongles already. This is mostly an issue of education. We already see a lot of these kinds of other factors like sending a message to device 1 when provisioning device 2.
When I opened a new joint bank account with my wife, the branch manager was helping set us up for online access. I asked about having our individual logins linked to the joint account. He said they couldn't do that, and we had to share the login for the joint account. I pointed out their TOS had just forbidden us to ever do that. He agreed it was stupid, but they had no other option available.
MFA doesn't necessarily mean "1 person = 1 account". TOTP codes can be shared, there can always be copies of the certificates, multiple security devices added to the same profile, etc. It differs from case to case.
> There will always be a small percentage of situations where '1 person = 1 account' will never be true.
I agree, but this isn't an argument against the obsolence of expiring passwords regularly.
I imagine people sharing passwords are even MORE likely to share passwords in insecure ways if they are forced to change the shared password at a regular interval.
So I register with my phone number, I get an OTP (via SMS) and login into the system to add stuff to my basket, etc. My wife also logs in from her phone, but rather than registering afresh, uses my phone number. Now I get another OTP which she uses to login from her phone. That's it. Same account is logged into on two different phones and the login persists.
I don't know if this is by accident or design, but it works. Hopefully it'll continue to work, and they don't try to "fix" it because it wasn't meant to be that way...
That still doesn't mean forcing frequent password changes becomes better... Usually it means COMPLEXPPASS!### where ### is incremented through each refresh, until you can reuse 1 again.
What would be better is forcing a passphrase change when a user on an account leaves.
This does not negate other security practices... however, frequent changes leads to less security, not more, generally speaking.
Wow, you nailed it. Your post describes our household precisely. The only shared password I have is with my spouse for a grocery list app. The most annoying account problems we have are with accounts for household gear such as wifi-aware garage door opener and pool pump.
You shouldn't take that shortcut over the lawn either. There are two answers to that very basic design problem:
1. Build higher fences to force people to walk along the prescribed path. This is often met with resentment, and various attempts at climbing the fence, or even cutting it down.
2. Lay bricks along the new organic path, so that it's safer to traverse.
I like the latter choice.
The principle is just about the same in the digital world.
> Shifting from passwords to more secure systems such as MFA ignores the elephant in the room about passwords that no-one wants to acknowledge: People share passwords.
In real life, people share keys too. So in some cases the "key" should probably be the metaphor, and it could be implemented by a dongle.
The other part of this story I did not see mentioned is that I suspect that password expiration also makes organizations more vulnerable to social engineering hacks because legitimate users (I have done this) become locked out due to poorly managed password expiration, then have to call in to restore access. The use of insecure identity and authentication mechanisms like student IDs and security questions is a recipe for abuse.
Unfortunately we still have to have similar authentication methods for other password resets. Users have an alarming tendency to forget their passwords after a week or two of holiday.
"Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem."
> If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen
We've been seeing the point "your personal information is already out there, in the hands of hackers" recently. This cleft seems oddly blind to the possibility that a password has been stolen, but you have no evidence of the fact.
This ignores the fact that most people use the same password everywhere, given the opportunity, and you have no idea what website has been breached. I.e. if you don't expire passwords, most people will use the same password everywhere, and you don't know when a compromise has happened, because it happened on some totally other network.
Recent, frustrating example: My (business) bank uses FISERV software, and their software expires passwords every 90 days. Their software can notify you about a million combinations of account activities and statuses, except this one. It takes 3 values to login to the account (company ID, username, password). When logging in via mobile app, it never tells you that your password has expired, so I end up trying a few times before I remember it might be an expired password.
Login via web browser, and sure enough it'll tell me my password expired and it's time to change it. They also occasionally enforce 2FA. Passwords are also how you connect things like Quickbooks.
When I called the bank to find out how to get notifications that a password has expired, they said there was no way. "When you change your password, set a calendar event for 60 days ahead..." they told me.
> When I called the bank to find out how to get notifications that a password has expired, they said there was no way. "When you change your password, set a calendar event for 60 days ahead..." they told me
This is a very good reason to change bank. That unacceptable answer would certainly induce me to rage quit the service, whatever the inconvenience.
Another worst offender are security questions to unlock accounts. Answers to these questions are usually visible to customer service reps and similar set of questions are asked among different services. This is scary.
It's dangerous as having password stored in plain text as answers to the security questions can potentially unlock many other accounts.
I highly suggest everyone answers each of them with a unique answer.
I answer these with random wrong answers and add the question/answer combo to the Notes section in my password manager.
Don’t just mash the keyboard or use random strings, as customer support will regularly accept “I don’t remember, I just put random stuff”. Make it believable but wrong.
I use fake answers. Treat them as basically secondary passwords. I do keep them as real words though since sometimes they need to be answered over the phone and you don't want to read a long random string of characters.
It's going to take literally an entire human generation or more for the terrible password rules of the 2000s to disappear. Forced password changes and the myriad irrational rules about acceptable password contents have been drilled into the heads of every sysadmin and security engineer for the past two decades. They were never evidence-based rules, they were just learned behaviors.
Not sure expiration is the worst problem with passwords. In no particular order,
* Most are easy to remember (most of us don't use LastPass etc)
* They authenticate the user but not the service!
* They're leaky (the system tells you when you have the wrong one, facilitating several kinds of attacks)
* People leave them lying around all the time
* Changing one almost always involves using the old one (instead of starting over from first principles)
Don't get me started on usernames! If you have a large hashed password, then the username becomes irrelevant (except as a way of leaking information).
Here's a modest proposal:
* Insist on large hashed passwords (256bit or better).
* Forget about usernames. The password becomes an 'account key' and is all you need
* Allow delegation: from one account to another; enable/disable features even for the 'main' account; give away authority for delegation at the feature level
* Never deny login for any reason, because that leaks security info (e.g. 'that password is illegal' is information). Just trust every legal password, and if it doesn't exist in the system then create a new default account
That's exciting news, though it will take a couple of years until it trickles down to financial institutions. My bank forces me to change passwords every 3 months, and of course they also disable pasting for added security.
We also have a local utility that sends you a 5 letter password upon account creation through email, and that's your password. If you try to change it, they'll send you another 5 letter one.
German banks also like their 5 character passwords! Fortunately you also need a per-transaction TAN code which makes this a bit better (though many people have this on paper or via an SMS, though perhaps paper is not that bad).
If you're in need of business banking, you can use mercury.co (my company) and enjoy unlimited length, non-paste-breaking, password manager compatible, no expiration, no character restriction passwords + non-SMS based 2FA :)
Hopefully we have five years before competitors catch up to us and implement this cutting edge technology!
I have 2 and 3 year CDs in a bunch of banks. (This is a common use case, people open separate accounts because of the FDIC insurance limit in any one bank). I only need to log in again 2 or 3 years after opening the account to either take the money out, or open another CD.
Some of these banks expire passwords every 6 months! That's insane. I have calendar reminders set to remind me to log in and generate another password with LastPass.
I still expire passwords on a yearly basis for the sole reason that users have complained to me that it stops them from using the password they use for everything else.
I'm not entirely sure that I'd agree with this mentality. Sure, at a glance it sounds good. If the password has been safeguarded, there's really not much reason to force expiration. However, wouldn't the age of the password reduce the security of it by default? The longer a password exists for, the more likely it is that it can be cracked, discovered by a misplaced Post-It note, or compromised by some other unknown security issue. With all the other security and privacy concerns in this thought process seems contrary.
So does this mean they also changed the guidelines in the SSPA? This is their security framework / certification for vendors doing business with Microsoft.
Also NIST dropped password complexity requirements. The only hard requirement is it must be 8 characters or more. New guidelines is to let users choose their own level of complexity and encourage them to make longer passwords that they can actually remember.
We would like to follow NIST 800-53, but too many customers (like Microsoft) still do not allow for the 2016 NIST changes.
I wish every compnay that does this will stop too. It's so frustrating and annoying having to change my passwords so regularly.
The internal time management software we use at work, which I only access every few weeks always forces me to set a new password. So every time I come to log on, my password has expired. What makes it worse is that this password is connected to other work services but they're not synchronised so when I change one, the other doesn't always change for a couple of days. Sometimes, the only way to log in to my machine is to disconnect the ethernet and make sure the wifi is off. And I have to keep a document on my phone with every variation of my passwords in the last few months and even then, if I am on holiday for a while and come back to work, none of them work.
I think there is a class of companies and services (Excluding Microsoft) who just need to leave the business of user security to the user and stop trying to build walls around an enclosure that no one cares about in the first place.
Not only are expirations pointless but it’s ridiculous that a 24-hour expiration system is often paired with a “Monday-Friday, 9-4 Eastern” kind of phone call.
I once had an investment account lock out at the start of a weekend and I couldn’t log into the damn thing for days simply because their robot shut it off and only a working human would turn it on.
Password expiration made average users need to remember more password combinations and resulted in them using the same password for each website they use. This is a serious issue, especially when sites the size of facebook are accidentally logging plaintext passwords on their servers.
Password managers are claimed to be the solution but we just aren't seeing average users jumping on board - probably due to the added complexity.
So what's the solution? How about websites begin client side hashing as well as using SSL and hashing server side. Then every users 'password' becomes unique by having a specific salt per website. This would hugely improve the current scenario in that when a site is hacked, attackers can try every users details on a range of other sites gaining access due to password re-use.
That relies on every website implementing this solution, and I don't think such coordination is possible.
Also I don't see the advantage over just server-side hashing. Client-side hashing (without a password manager) is public, so the salt the site uses is known.
This has known for years now, but unfortunately, takes a long time to change.
The other thing what I just read recently and mentioned in this article is about storing secrets in environment variables. That's not good either because every running code and subprocess can read it...
The first time I came across password expiration was on a login I was given to someone else's windows server. I only needed to log in once a month or less and every single time I got the message, your password has expired and must be changed, it was laughably pathetic how they ever expected people to remember a new hard to guess password every month. So of course I did what others have said and tagged on a 1 each time to the end.
The article recommends LastPass but ironically LastPass still asks you to change the master passphrase every 180 days. I've complained about this a long time ago and they didn't seem to take my request seriously despite my sending them links to the NIST recommendations.
[+] [-] mattowen_uk|6 years ago|reply
A simple example is this: A couple do online grocery shopping every week or so, depending who has time to do it, one them will log into the 'account' and build the basket. Maybe the other will then amend the basket a few hours later before the cut off time. With enforced MFA, this is not possible.
There will always be a small percentage of situations where '1 person = 1 account' will never be true. Until providers add the concept of multi-logins to the same 'account' on their systems you can't wholesale move to stronger security methods.
I have the same issue with all these 'smart home' products that need an app installed onto a phone or tablet. A lot of them are bound to a single account, which means if other people in the household also want to have the app, you have to share your account details. if it's a Google or Amazon product, that means you are sharing account details of an account that you really shouldn't be.
[+] [-] faceplanted|6 years ago|reply
It's completely insane, and the closest they've gotten to adding anything like this is letting people have comment moderators on live streams, not videos where people have wanted comment moderators from day one, just live streams.
[+] [-] Sahhaese|6 years ago|reply
But the correct pattern is a formal system for delegation and/or disconnecting 'login' with 'account' (i.e. separate charging for a service from the login). This is something that AWS does very well for example.
[+] [-] snarf21|6 years ago|reply
[+] [-] diggernet|6 years ago|reply
When I opened a new joint bank account with my wife, the branch manager was helping set us up for online access. I asked about having our individual logins linked to the joint account. He said they couldn't do that, and we had to share the login for the joint account. I pointed out their TOS had just forbidden us to ever do that. He agreed it was stupid, but they had no other option available.
[+] [-] Jnr|6 years ago|reply
[+] [-] sejtnjir|6 years ago|reply
I agree, but this isn't an argument against the obsolence of expiring passwords regularly.
I imagine people sharing passwords are even MORE likely to share passwords in insecure ways if they are forced to change the shared password at a regular interval.
[+] [-] msravi|6 years ago|reply
So I register with my phone number, I get an OTP (via SMS) and login into the system to add stuff to my basket, etc. My wife also logs in from her phone, but rather than registering afresh, uses my phone number. Now I get another OTP which she uses to login from her phone. That's it. Same account is logged into on two different phones and the login persists.
I don't know if this is by accident or design, but it works. Hopefully it'll continue to work, and they don't try to "fix" it because it wasn't meant to be that way...
[+] [-] tracker1|6 years ago|reply
What would be better is forcing a passphrase change when a user on an account leaves.
This does not negate other security practices... however, frequent changes leads to less security, not more, generally speaking.
[+] [-] mrandish|6 years ago|reply
[+] [-] kebman|6 years ago|reply
[+] [-] m12k|6 years ago|reply
[+] [-] amelius|6 years ago|reply
In real life, people share keys too. So in some cases the "key" should probably be the metaphor, and it could be implemented by a dongle.
[+] [-] moisto|6 years ago|reply
1. One time Password ?
2. Change password before/after authenticating their device
3. Improve communication with spouse regarding milk eggs crap wrap etc.?
[+] [-] blr246|6 years ago|reply
Good riddance to password expiration.
[+] [-] omh|6 years ago|reply
[+] [-] EnderWT|6 years ago|reply
Full post: https://blogs.technet.microsoft.com/secguide/2019/05/23/secu...
[+] [-] thaumasiotes|6 years ago|reply
We've been seeing the point "your personal information is already out there, in the hands of hackers" recently. This cleft seems oddly blind to the possibility that a password has been stolen, but you have no evidence of the fact.
[+] [-] matt_morgan|6 years ago|reply
[+] [-] kebman|6 years ago|reply
[+] [-] jvagner|6 years ago|reply
Login via web browser, and sure enough it'll tell me my password expired and it's time to change it. They also occasionally enforce 2FA. Passwords are also how you connect things like Quickbooks.
When I called the bank to find out how to get notifications that a password has expired, they said there was no way. "When you change your password, set a calendar event for 60 days ahead..." they told me.
[+] [-] lysp|6 years ago|reply
password1, password2, ... password23, password24.
This means that if you discover someone's current password, you also have their future 10+ passwords as well.
[+] [-] enriquto|6 years ago|reply
This is a very good reason to change bank. That unacceptable answer would certainly induce me to rage quit the service, whatever the inconvenience.
[+] [-] liveoneggs|6 years ago|reply
[+] [-] jsonau|6 years ago|reply
It's dangerous as having password stored in plain text as answers to the security questions can potentially unlock many other accounts.
I highly suggest everyone answers each of them with a unique answer.
[+] [-] Sendotsh|6 years ago|reply
Don’t just mash the keyboard or use random strings, as customer support will regularly accept “I don’t remember, I just put random stuff”. Make it believable but wrong.
[+] [-] manigandham|6 years ago|reply
[+] [-] caymanjim|6 years ago|reply
[+] [-] JoeAltmaier|6 years ago|reply
* Most are easy to remember (most of us don't use LastPass etc)
* They authenticate the user but not the service!
* They're leaky (the system tells you when you have the wrong one, facilitating several kinds of attacks)
* People leave them lying around all the time
* Changing one almost always involves using the old one (instead of starting over from first principles)
Don't get me started on usernames! If you have a large hashed password, then the username becomes irrelevant (except as a way of leaking information).
Here's a modest proposal:
* Insist on large hashed passwords (256bit or better).
* Forget about usernames. The password becomes an 'account key' and is all you need
* Allow delegation: from one account to another; enable/disable features even for the 'main' account; give away authority for delegation at the feature level
* Never deny login for any reason, because that leaks security info (e.g. 'that password is illegal' is information). Just trust every legal password, and if it doesn't exist in the system then create a new default account
[+] [-] dessant|6 years ago|reply
We also have a local utility that sends you a 5 letter password upon account creation through email, and that's your password. If you try to change it, they'll send you another 5 letter one.
[+] [-] pwg|6 years ago|reply
With Firefox, you can set this about:config setting to false to give you back the ability to paste, even when sites try to block it:
dom.event.clipboardevents.enabled
[+] [-] antoineMoPa|6 years ago|reply
[+] [-] cortesoft|6 years ago|reply
[+] [-] xioxox|6 years ago|reply
[+] [-] MaxGabriel|6 years ago|reply
Hopefully we have five years before competitors catch up to us and implement this cutting edge technology!
[+] [-] CrowFly|6 years ago|reply
Some of these banks expire passwords every 6 months! That's insane. I have calendar reminders set to remind me to log in and generate another password with LastPass.
[+] [-] davemp|6 years ago|reply
[+] [-] quickthrower2|6 years ago|reply
When forced to do this I will use something like "B@s3P@ssw0rd1" then "B@s3P@ssw0rd2", "B@s3P@ssw0rd3" etc.
[+] [-] Jaruzel|6 years ago|reply
Better to use a combo of several words such as... BatteryHorseStaple. :)
[+] [-] discreditable|6 years ago|reply
[+] [-] Raistael|6 years ago|reply
[+] [-] teilo|6 years ago|reply
Also NIST dropped password complexity requirements. The only hard requirement is it must be 8 characters or more. New guidelines is to let users choose their own level of complexity and encourage them to make longer passwords that they can actually remember.
We would like to follow NIST 800-53, but too many customers (like Microsoft) still do not allow for the 2016 NIST changes.
[+] [-] mouzogu|6 years ago|reply
The internal time management software we use at work, which I only access every few weeks always forces me to set a new password. So every time I come to log on, my password has expired. What makes it worse is that this password is connected to other work services but they're not synchronised so when I change one, the other doesn't always change for a couple of days. Sometimes, the only way to log in to my machine is to disconnect the ethernet and make sure the wifi is off. And I have to keep a document on my phone with every variation of my passwords in the last few months and even then, if I am on holiday for a while and come back to work, none of them work.
I think there is a class of companies and services (Excluding Microsoft) who just need to leave the business of user security to the user and stop trying to build walls around an enclosure that no one cares about in the first place.
[+] [-] makecheck|6 years ago|reply
I once had an investment account lock out at the start of a weekend and I couldn’t log into the damn thing for days simply because their robot shut it off and only a working human would turn it on.
[+] [-] tomglynch|6 years ago|reply
Password managers are claimed to be the solution but we just aren't seeing average users jumping on board - probably due to the added complexity.
So what's the solution? How about websites begin client side hashing as well as using SSL and hashing server side. Then every users 'password' becomes unique by having a specific salt per website. This would hugely improve the current scenario in that when a site is hacked, attackers can try every users details on a range of other sites gaining access due to password re-use.
[+] [-] loonyphoenix|6 years ago|reply
Also I don't see the advantage over just server-side hashing. Client-side hashing (without a password manager) is public, so the salt the site uses is known.
[+] [-] kissgyorgy|6 years ago|reply
The other thing what I just read recently and mentioned in this article is about storing secrets in environment variables. That's not good either because every running code and subprocess can read it...
[+] [-] Doubl|6 years ago|reply
[+] [-] falcor84|6 years ago|reply
[+] [-] Artemis2|6 years ago|reply