Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Unspoken Taboo - The Never Expiring Password

Posted by CowboyNeal on from the silent-threats dept.

anon writes "Every security savvy professional lives with the daily fear of the "never expiring password" being exposed. It's the unspoken taboo, the wide open back door in every corporate network. But no-one ever acknowledges it or discusses it. All applications have got pre-defined passwords that never change. Which means developers, privileged users and hosting third party service providers will all have access to these passwords."

3 of 537 comments (clear)

  1. Re:Revent case of that in Japan by Anonymous Coward · · Score: 5, Insightful

    "...because there is no safety available if you live there."

    Couldn't they just intall locks?

  2. What's the problem w/ long non-expiring passwords? by QuantGuy · · Score: 5, Insightful

    Maybe I'm missing something. It's conventional wisdom that "best practice" is that "everyone" should change their password every x number of days. But often times folks have to change their passwords so often they end up writing them on sticky notes, or choosing the same easy eight-character password over and over and over, with the only variant being the numbers stuck at the end. And this is good for security how?

    At a previous company our policy was to have fairly long (16 character) passwords that never expired. For my own password, I chose a pnemonic one that had certain combinations of substituted numbers and special characters. It was never cracked, even though we ran password scans regularly on our Windows domain and Linux boxen.

    Show me the empirical evidence that frequently-changing, short passwords are better than long, unchanging ones, and not only will I change my password, but I might even change my mind as well. Until then articles like this are just perpetuating a mythology that people have come to accept as fact.

    As it happens, I think passwords have outlived their usefulness. But that's another thread entirely...

  3. I Call Bullshit by npsimons · · Score: 5, Insightful
    I am what I would consider a "security savvy professional", and I have to say that making people change passwords is the most time-wasting, useless, feel good security measure ever. You know why? Because people will pick easy to remember (and easier to crack) passwords rather than good passwords when they won't have time to memorize a good one. Or to look at it another way: why pick a good password when you are just going to be forced to change it? I know this is true, because I have experienced it from the other side; I am a user who is forced to change his password on a regular basis. On those accounts which force me to change my password (usually every 6 months), I won't even try to pick a good password. I'll pick one that meets the bare minimum requirements, because I'm just going to have to change it again in another six months. Why bother trying to create a good password?


    On the other hand, on systems I administer, I don't have expiring passwords. I pick passwords that are 20 characters long and look like line noise. Sure, it's harder to memorize them, but I have more _time_ to memorize them because I never have to change them.

    --
    Nathan's blog