• MrQuallzin@lemmy.world
    link
    fedilink
    arrow-up
    43
    ·
    3 months ago

    One of our systems at work won’t let you use the last thirteen passwords. And it makes you change it monthly.

    • Darkassassin07@lemmy.ca
      link
      fedilink
      English
      arrow-up
      29
      ·
      3 months ago

      Yeah, I’m sitting there changing my password 13 times until I can go back to mine. I already do this with our 3 month expiry, but ours only checks against the current password, not a history of old passwords.

      Password expiry doesn’t make systems more secure, it makes users lazily set insecure passwords to deal with your shitty mind games.

        • Darkassassin07@lemmy.ca
          link
          fedilink
          English
          arrow-up
          5
          ·
          3 months ago

          Hello, Tech Support? Yeah, I can’t remember my password… I know, this is the 13th time this week… I’ll try real hard to remember this time I promise.

    • Hasherm0n@lemmy.world
      link
      fedilink
      arrow-up
      28
      ·
      3 months ago

      Any organization still doing this is a decade behind best practices. NIST published new recommendations years ago that specified getting rid of the practice of regular forced password resets specifically because they encourage bad practices that make passwords weaker.

      Of course it doesn’t help that there are some industry compliance standards that have refused to update their requirements, but I don’t know of any that would require monthly password changes.

        • Hasherm0n@lemmy.world
          link
          fedilink
          arrow-up
          9
          ·
          edit-2
          3 months ago

          What you want is NIST 800-63b https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret

          Specifically sections 5.1.1.1 and 5.1.1.2.

          Excerpt from 5.1.1.2 pertaining to complexity and rotation requirements:

          Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

          Appendix A of the document contains their reasoning for changing from the previous common wisdom.

          The tl;dr of their changes boil down to length is more important than any other factor when it comes to password security.

          Edit to add:

          In my personal opinion, organizations should be trying to move away from passwords as much as possible. If your IT team seems to think this system is so important that they need to rotate passwords every month, they should probably be transitioning to hardware security tokens, passkeys, or worst case, password with non-sms MFA.

          Now I know nothing about the actual circumstances and I know there are plenty of reasons why that may not be possible in this specific case, but I’d feel remiss if I didn’t mention it.