top | item 36506393

(no title)

Two alternatives:

A. Make a stronger password, time to crack it increases exponentially.

B. Change password regularly, including after getting new equipment.

discuss

Many organizations go with B already. Usually with some arbitrary password update period, with more sensitive information requiring shorter periods.

The user response is to choose a new password that is similar to the previous password to avoid loosing access due to forgetting. This means that an attackers best way to find the users current password, is to know their old password. NIST has recognized this, and advises against these policies: “Reset—Required only if the password is compromised or forgotten.” [1].

Best mitigation I see for systems that exclusively take password input is to use a user pin plus a PKI card or RSA key.

[1] https://www.isaca.org/resources/isaca-journal/issues/2019/vo...

m3047|2 years ago

Changing passwords as a cracking mitigation is "bad medicine", always has been, and is now acknowledged as such.

Mathematically, imagine it is raining (stochastically speaking, evenly distributed on the interval, with replacement). Are you more or less likely to get hit by a rain drop if you dance around or stand still? Nope, odds are the same. (Although technically by moving around a lot you are sweeping space and thereby increasing the surface area for rain to impact + amount of rain, so actually you are increasing the odds.)

Ok, try this instead. Flip a coin and guess whether it's heads or tails. Does it matter whether I guess heads every time, alternate heads/tails, or flip another coin? No, it does not.

Now in the case of people who re-use passwords... in the longer term we'll find out whether the propensity to be one or the other produces an evolutionary signal or whether people are impossibly bad at "random" in any case.

Finally, imagine someone cracking passwords: this is your adversary, and there is only one. Are they going to start with the hardest, most difficult to compute / type / memorize / come up with in the first place passwords? Let's encourage them to do that, and start with passwords which you'd never be able to enumerate starting from null before the heat death of the universe. Ok, so maybe that won't work, they're going to start with the easy ones first. So in this case, the optimal strategy would be to pick a really difficult password, and then at some point in time switch to one of the easy ones since it's already been checked.

How's your migraine now?

bandrami|2 years ago

It's an exposure mitigation rather than a cracking mitigation, isn't it? The idea is that if it got badly stored somewhere it's only dangerous for 30 days or whatever.