This should not be a surprise, as this supports the NIST's revised recommendations (from June 2017!) that passwords should not expire [0], because it actually leads to less-secure passwords for this exact reason.
Furthermore, many corporate systems do not integrate well with password managers, such as when first logging in to your system in the morning. This means that the password is likely to be one of the few that must actually be memorized.
If you ask me to memorize a 32-character random string, I will, but I won't memorize a different 32-character string every 6 months!
Bruce Schneier's summarization [0] of NIST's revised recommendations:
1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
2. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
3. Let people use password managers. This is how we deal with all the passwords we need.
I am forced to type 2 to 3 passwords every morning. The IT rules says I can't leave my laptop in my table overnight, so I have to every day type at least the disk encryption password + my login password. And sometimes I also have to type the VPN password. That's already 2 to 3 passwords every single time.
Not counting the SSH key passphrases for a lot of stuff...
> corporate systems do not integrate well with password managers, such as when first logging in to your system in the morning
Depends on the password manager. I use Keepass on my phone with the InputStick[0] plugin, for example, and that works great for Windows logins. Even have a macro set up so I can sign in to Windows with one tap.
> Furthermore, many corporate systems do not integrate well with password managers, such as when first logging in to your system in the morning.
...are there any desktop OS's which do integrate well with password managers, for your login password?
By definition, you can't open the password manager until you've logged into the machine. So you'd need to open the password manager on a separate device.
The one exception I can think of is if you're using the password manager built into the system, like Apple's keychain, in which case your login password is basically also your master password. Unfortunately, you then lose the ability to access your passwords on any other company's platform...
> such as when first logging in to your system in the morning
This is what the article is talking about, but completely misses in its involved complaints. The best password manager in the world will NOT help you actually login to the computer you're running it on. So everyone at work basically has to have at least two passwords that need to be memorized: The main password to login to the machine, and the unlock password for the password manager.
Forcing these passwords to be impossible to remember is going to be a huge impediment, given how often you end up actually having to type them.
"This should not be a surprise, as this supports the NIST's revised recommendations (from June 2017!) that passwords should not expire [0], because it actually leads to less-secure passwords for this exact reason."
THIS. 10 Times This.
Would somebody be so kind to tell this to the eRA Commons website maintainer of the NIH?
And when you are one it, please tell eBay I don't want to change my PW if they think someone else tried to log into my account based on their shitty Tracking metrics. I mostly switched from Amazon to eBay but the constant PW change request really annoy me. I have one plain vanilla browser with no anti track plug-ins only for eBay.
I once send them a message, that I consider their security guy an idiot, told them to forward him my cell phone number and ask him to give me a call to discuss this PW policy. He never called. :-)
People should remember that the recommendations are part of a large security program and assume the implementation of others that are not so straightforward. Multi-factor auth and resistance to offline attacks on a stolen database or MITM'd creds in an outdated Windows environment tend to be big technical pain points. Most companies, especially outside of tech, aren't in a position to remove password expiration yet.
I think anyone can memorize 32 character passwords every 6 months if one uses some scheme. I usually use long phrases from books: a phrase that means something to me is easy to remember and even if I forget it, it's easy to look it up. Such passwords can be arbitrarily long.
When this came out I wasn’t directing IT... I had to (fucking) fight tooth and nail to get our MSP and CFO to accept it.
CFO no longer has anything to do with IT, MSP was fired... not for this, for leaving admin credentials in JSON file accessible to everyone on a shared drive.
Of course we do. My password manager does not work for the Windows login and I need to change it every 3 months. I can remember 1 large complicate pass-sentence, but not a different one every three months.
For cases like these I semi-seriously suggest using a keyboard with programmable macros. Usually people laugh it off but I think it's not the worst idea. Almost no one I know would know how to find and execute a macro on my keyboard, if they even considered looking for a password there.
Same. I'm currently on the 15th permutation of the same password. But we implemented 2Fa this year so now I still have to change my password regularly, and pull a code from my phone that's generated on demand (as opposed to temporal rollover) so it needs to be connected, AND I have to enter in my password about 75 times a day because it goes part and parcel with the 2Fa prompts.
Same here. I have a fairly complex (secure) password I use at work and they make me change it every 90 days so I just appended an "01" to it which I increment on every change.
I did this at my old job where they forced regular PW changes. The thing that changed was the string of digits at the end, which was always the year and month I was last forced to change it.
Of course, for my personal logins I use a manager and unique strong passwords, but they gave me no reason to care about password security and a bunch of reasons not to.
We had a password change rule at a company I worked at because QuickBooks required it. Because QuickBooks required it upper-management decided that ALL other passwords were required to be changed as well (email and desktop passwords, for most employees).
Because time is money, and the employees' time was all chargeable at about $250/hour, the IT guy was tasked with the job of changing everyone's password himself right before the 90 days were up. He just kept everyone's passwords in a password manager, and the "Notes" field contained the password change pattern the user wanted to follow.
Being the IT guy's manager I was able to exclude myself from these crazy shenanigans, but no one else was so lucky. In fact, many people asked for their passwords to be synced by the IT guy for other services they use at work!
There's actually no need to really change the password. The check for used passwords has its limits, so after going through [password]1 to, let's say, [password]20, it lets you use [password]1 again. A script (for loop with smbpasswd, for example) can do this in a few seconds.
My first job out of college had a policy like this, and I did something similar. Biggest problem was that we had multiple password systems, all with their own policies, so my passwords slowly got out of sync.
Mine is somewhere between 30 and 50 days (been keeping track and it seems to shift around). For a while a bunch of us were able to get them to stop expiring our passwords, until upper management found out and put a stop to it.
The counter on my password is somewhere up in the 50s or 60s. (For those of us on linux, it's only used for wifi access - things like email and svn use a different, non-expiring password)
I used to have to deal with an enterprise system that required quarterly password changes. The interesting thing about this system was it would refuse to let you set a new password that wasn't sufficiently different from the previous several passwords... Which almost certainly means they were implementing this security measure by storing the passwords in plaintext on the server.
I used to set many passwords with slight variations.
One day I turned on failed login pass capture on a couple of wordpress web sites. I did see some of what I expected, they tried many of the most common passwords,
what surprised me is that they also attempted all kinds of similar variations that included words that our sites might use, but were not in the most common used pass dictionaries.
So they were not just using dictionary and common pass attacks, they were also attempting ones and slight variations of ones that may or may not have included that common things, plus site specific things, then with slight variations.
That was kind of spooky, and had me change up how I set up some things for other people.
The thing I hate the most is random websites forcing you to use a password with "at least 8 characters, capital letters, numbers, .."
I only care about my email account and a couple of other important websites.
I want to be able to use the same simple password on other websites.
So what if my account on pinterest or my local news website or some random forum is compromised... I don't care. I will either reset my password or make a new account.
If you want to feel better about those websites, Provident CU makes you pick a username with the same rules, including capitals and numbers when you register for online banking.
Someone in their IT department is the Grand High Idiot of Cargo Cult Security.
There was an entertaining tale about this in Henry Marsh's Do No Harm: Stories of Life, Death and Brain Surgery (he's a very significant figure in brain surgery in the UK).
There's a lot to it, but it came down to running around the hospital getting mad with the new digital system for looking at X-ray pictures rather than having them in physical format. Given one of the admin's passwords to try (it was something quite rude like "fuckoff"), he still couldn't make it work, and was advised that they were forced to change passwords every 30 days and to try "fuckoff2". It turned out the actual password was something like "fuckoff4" due to the time that had passed since the password had been shared around the department.
I kid you not, those of us subject to rolling our passwords do just that. Add one. One system had a restriction of not the same password within 32 changes so inventive users were simply do that in one try until changes got limited to once per 24 hours
> When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.
I do this at my current job, character by character, as I'm asked to update it. I think I have a mix of four different slightly modified semi-unique passwords I've used in the past so far, so it's not great, but not terrible.
My password is currently 35+ characters, using upper and lower case letters, numbers, and punctuation, and is not shared with any other account I have. Even if someone were to get a list of other passwords I've used they would need to correctly guess what passwords I'm using here, what modifications I've made to them, what the order was, and where in the last password I've used I am, since I append a single character at a time.
I also try to go out of my way to use the weakest passwords possible for non-critical websites (eg subject specific forums) so if those are compromised the only thing someone gets is my username plus a really weak password as opposed to my username plus a relatively strong/unique password.
With that said, as I'm writing this, I acknowledge I should really start from scratch. It's better to be safe than sorry.
The password requirements at my job are, in my opinion, insane. It has to be a specified length (an exact number of characters, no more, no less), can't contain any 3+ character words found in a dictionary, and a few other requirements like at least one capital letter and at least one number. And it has to change every three months. So yes, when I have to change my password I end up changing a single character or digit and calling it a day.
My single biggest issue is weird complexity requirements... let me simply use a relatively short sentence (15+ characters). If they limited requirement to length only + a breach check, that would be enough and encourage a sentence.
"I really like sour grapes." is easy enough to remember and has plenty of complexity... of course, it gets much harder on a mobile device, this is where passphrase managers come into play though.
My most memorable policy as an end user was as a consulting client for a huge bank. On top of the usual length, character type, and password changing requirements, the password could not use substrings of 3+ characters from any of your prior passwords.
They were also required to pass a black-box “complexity” algorithm, and the vast majority of passwords generated by my password manager inexplicably failed this bar.
So every 6 weeks I would set aside about 20 minutes to generate new passwords of varying length in my password manager until one would be accepted as the new password.
I use this time management software at work that forces me to reset my password pretty much every time I open it.
What I'd like to know; why does this software require such stringent security. Who wants to hack into my time-sheet and see how many hours I worked on some boring project.
I also have one password to login to my laptop offline, one to login when it's online and another to login to work mail as these three passwords are always out of sync. Very annoying.
[+] [-] hwbehrens|6 years ago|reply
Furthermore, many corporate systems do not integrate well with password managers, such as when first logging in to your system in the morning. This means that the password is likely to be one of the few that must actually be memorized. If you ask me to memorize a 32-character random string, I will, but I won't memorize a different 32-character string every 6 months!
[0]: https://pages.nist.gov/800-63-FAQ/#q-b05
[+] [-] orand|6 years ago|reply
1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
2. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
3. Let people use password managers. This is how we deal with all the passwords we need.
[0]: https://www.schneier.com/blog/archives/2017/10/changes_in_pa...
[+] [-] ZainRiz|6 years ago|reply
Do the other 51% sincerely try to change their passwords? Or maybe they were too scared to report the truth :P
[+] [-] dyingkneepad|6 years ago|reply
Not counting the SSH key passphrases for a lot of stuff...
[+] [-] Ajedi32|6 years ago|reply
Depends on the password manager. I use Keepass on my phone with the InputStick[0] plugin, for example, and that works great for Windows logins. Even have a macro set up so I can sign in to Windows with one tap.
[0]: http://www.inputstick.com/
[+] [-] kazinator|6 years ago|reply
[+] [-] Wowfunhappy|6 years ago|reply
...are there any desktop OS's which do integrate well with password managers, for your login password?
By definition, you can't open the password manager until you've logged into the machine. So you'd need to open the password manager on a separate device.
The one exception I can think of is if you're using the password manager built into the system, like Apple's keychain, in which case your login password is basically also your master password. Unfortunately, you then lose the ability to access your passwords on any other company's platform...
[+] [-] octorian|6 years ago|reply
This is what the article is talking about, but completely misses in its involved complaints. The best password manager in the world will NOT help you actually login to the computer you're running it on. So everyone at work basically has to have at least two passwords that need to be memorized: The main password to login to the machine, and the unlock password for the password manager.
Forcing these passwords to be impossible to remember is going to be a huge impediment, given how often you end up actually having to type them.
[+] [-] joyjoyjoy|6 years ago|reply
THIS. 10 Times This.
Would somebody be so kind to tell this to the eRA Commons website maintainer of the NIH?
And when you are one it, please tell eBay I don't want to change my PW if they think someone else tried to log into my account based on their shitty Tracking metrics. I mostly switched from Amazon to eBay but the constant PW change request really annoy me. I have one plain vanilla browser with no anti track plug-ins only for eBay.
I once send them a message, that I consider their security guy an idiot, told them to forward him my cell phone number and ask him to give me a call to discuss this PW policy. He never called. :-)
[+] [-] resfirestar|6 years ago|reply
[+] [-] 010001001010|6 years ago|reply
I toyed around with the idea of a password risk score.
Password reuse across accounts (with known breach) = 100% Password reuse across account = 90% Unique external password = 30% Unique internal password = 20%
Divided by password complexity... or something similar.
In this way user is encouraged to maintain good passwords by not being penalised (changing every few months, etc).
Of course, this would require something between service and user, such as a password manager.
[+] [-] hello_tyler|6 years ago|reply
[+] [-] fg6hr|6 years ago|reply
[+] [-] SlowRobotAhead|6 years ago|reply
CFO no longer has anything to do with IT, MSP was fired... not for this, for leaving admin credentials in JSON file accessible to everyone on a shared drive.
Ah, good times!
[+] [-] ouid|6 years ago|reply
[+] [-] crankylinuxuser|6 years ago|reply
How many businesses do you know follow NIST's new password guidelines?
[+] [-] lostmsu|6 years ago|reply
[+] [-] discreditable|6 years ago|reply
[+] [-] vikramkr|6 years ago|reply
[+] [-] meragrin|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] teekert|6 years ago|reply
[+] [-] vlunkr|6 years ago|reply
[+] [-] cptskippy|6 years ago|reply
[+] [-] DebtDeflation|6 years ago|reply
[+] [-] ahelwer|6 years ago|reply
[+] [-] droobles|6 years ago|reply
[+] [-] caconym_|6 years ago|reply
Of course, for my personal logins I use a manager and unique strong passwords, but they gave me no reason to care about password security and a bunch of reasons not to.
Honestly I'm surprised it's as low as 49%.
[+] [-] dingo_bat|6 years ago|reply
[deleted]
[+] [-] davidmurdoch|6 years ago|reply
Because time is money, and the employees' time was all chargeable at about $250/hour, the IT guy was tasked with the job of changing everyone's password himself right before the 90 days were up. He just kept everyone's passwords in a password manager, and the "Notes" field contained the password change pattern the user wanted to follow.
Being the IT guy's manager I was able to exclude myself from these crazy shenanigans, but no one else was so lucky. In fact, many people asked for their passwords to be synced by the IT guy for other services they use at work!
[+] [-] orthros|6 years ago|reply
I'm guessing this isn't what they had in mind.
[+] [-] Liskni_si|6 years ago|reply
[+] [-] xur17|6 years ago|reply
[+] [-] Izkata|6 years ago|reply
The counter on my password is somewhere up in the 50s or 60s. (For those of us on linux, it's only used for wifi access - things like email and svn use a different, non-expiring password)
[+] [-] AdmiralAsshat|6 years ago|reply
a) Passwords that are secure.
b) Passwords that can be remembered.
c) Passwords that must be rotated regularly.
You can pick two of the above, and it can be done. But you're not getting all three.
[+] [-] obelos|6 years ago|reply
[+] [-] stevenicr|6 years ago|reply
One day I turned on failed login pass capture on a couple of wordpress web sites. I did see some of what I expected, they tried many of the most common passwords,
what surprised me is that they also attempted all kinds of similar variations that included words that our sites might use, but were not in the most common used pass dictionaries.
So they were not just using dictionary and common pass attacks, they were also attempting ones and slight variations of ones that may or may not have included that common things, plus site specific things, then with slight variations.
That was kind of spooky, and had me change up how I set up some things for other people.
[+] [-] Vomzor|6 years ago|reply
[+] [-] geoelectric|6 years ago|reply
Someone in their IT department is the Grand High Idiot of Cargo Cult Security.
[+] [-] petercooper|6 years ago|reply
There's a lot to it, but it came down to running around the hospital getting mad with the new digital system for looking at X-ray pictures rather than having them in physical format. Given one of the admin's passwords to try (it was something quite rude like "fuckoff"), he still couldn't make it work, and was advised that they were forced to change passwords every 30 days and to try "fuckoff2". It turned out the actual password was something like "fuckoff4" due to the time that had passed since the password had been shared around the department.
Edit: Found another recollection of the tale here: https://www.theguardian.com/books/2014/mar/30/do-no-harm-sto...
[+] [-] Shivetya|6 years ago|reply
I kid you not, those of us subject to rolling our passwords do just that. Add one. One system had a restriction of not the same password within 32 changes so inventive users were simply do that in one try until changes got limited to once per 24 hours
[+] [-] pixelbath|6 years ago|reply
> When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.
[+] [-] omgwtfbyobbq|6 years ago|reply
My password is currently 35+ characters, using upper and lower case letters, numbers, and punctuation, and is not shared with any other account I have. Even if someone were to get a list of other passwords I've used they would need to correctly guess what passwords I'm using here, what modifications I've made to them, what the order was, and where in the last password I've used I am, since I append a single character at a time.
I also try to go out of my way to use the weakest passwords possible for non-critical websites (eg subject specific forums) so if those are compromised the only thing someone gets is my username plus a really weak password as opposed to my username plus a relatively strong/unique password.
With that said, as I'm writing this, I acknowledge I should really start from scratch. It's better to be safe than sorry.
https://correcthorsebatterystaple.net/
[+] [-] dangom|6 years ago|reply
[+] [-] MrMember|6 years ago|reply
[+] [-] tracker1|6 years ago|reply
"I really like sour grapes." is easy enough to remember and has plenty of complexity... of course, it gets much harder on a mobile device, this is where passphrase managers come into play though.
[+] [-] kardos|6 years ago|reply
Is the password manager not a single point of failure in this model?
[+] [-] fancyfish|6 years ago|reply
They were also required to pass a black-box “complexity” algorithm, and the vast majority of passwords generated by my password manager inexplicably failed this bar.
So every 6 weeks I would set aside about 20 minutes to generate new passwords of varying length in my password manager until one would be accepted as the new password.
[+] [-] num3ric|6 years ago|reply
[+] [-] mouzogu|6 years ago|reply
What I'd like to know; why does this software require such stringent security. Who wants to hack into my time-sheet and see how many hours I worked on some boring project.
I also have one password to login to my laptop offline, one to login when it's online and another to login to work mail as these three passwords are always out of sync. Very annoying.