Slashdot Mirror
New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste
isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."
The fact is, most of the accounts I have passwords for don't really matter. I don't give a shit if someone gets access to my slashdot account. Or if they get access to an old video game forum or two. So there's no reason to give those things really secure passwords. The things that need secure, unique passwords are your email, your bank/broker, and anything that would truly upset you if you lost access to. Give the rest some default password and stop caring.
I still have more fans than freaks. WTF is wrong with you people?
A portable hardware device that generates one-time-only passwords. The master keys never leave the device and can be revoked in the event of the device getting lost. Hacking any individual device provides no clues that can be used to hack the other devices.
Must have a mix of upper case, lower case, numbers, and special characters. And it can't be any of my last eleventy-six passwords. "It's been a while since you've logged in from the mobile application. Please change your password." What the flying fuck?!? I just wanted to check my balance and now I have to change my password.
Does this mean I won't have to change my password from password01 to password02, password03 ect?
You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.
Simple1! fulfills most companys password requirements.
If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy
It will have to stop changing on a arbitrary basis.
Minimum threshold fixed. Thanks!
The simple fact of the matter is that when it comes to secure passwords, size matters and little else does. If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were so that the monthly forced rotation doesn't reject your new password because you've used it before.
Someone mod this up. This is totally correct! Until my work started making us change our password once every 60 days, and required that the last five passwords can't be reused, I had a very secure password memorized. Now that they implemented these "security" protocols I have to have a list to keep track of what five passwords were used last, and what the current password is. It's the most retarded requirement ever!
Now I don't always remember it 99.9% of the times but what I do is have a pattern that I use to extract 4 letters from a sites name and use 4 or so selected 4 number combos which I combine into a password. At least it gives me different passwords for different sites.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I have a simple password. I increment. I use the same one at both jobs. They're actually incremented to the exact same digit at the moment.
I doubt it's secure, but it allows me to avoid hassles.
You memorize a single strong password for a key storage program like Keepass, and only bother with 1 strong password being changed at your recommended frequency. I can change all of my other passwords randomly as often as I want and don't need to remember them all. I keep the encrypted DBs on a Thumb drive in my pocket, and a backup in a safe.
While not perfect this setup is safer due to the lack of a keylogger picking things up. No system is perfect so I go for "better" and "best practices". I would much rather have a 20+ character password for my DB I change every 9-12 months than try and remember dozens and dozens of various passwords I have for everything else.
Oh, I should add that I use multiple databases for multiple purposes. I don't mix business and pleasure.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
"Think up other schemes?" No, they just start writing passwords down. Behavior becomes less secure.
Or they frequently forget their password, and after getting sick of all the support requests for password reset, an automated password reset system is put in place that has more security holes than the passwords they are trying to block. Even if the system is not automated, think about the potential for social engineering attacks when forgotten passwords are a daily annoyance for helpdesk staff that they just want to get out of the way as soon as possible.
But that's the idea behind "frequent changing passwords a waste". I don't even know why changing your password is more secure than keeping a password. Normally you only get a limited amount of tries before your account gets locked anyway. So what does it matter when you keep the same password for the couple of years you use a particular service? And most service you keep for a longer time have better build in security anyway. Like the requirement to verify an e-mail when you log in on a new computer, or sending SMS codes that need to be entered after logging in x-amount of time.
I think login/password to authenticate a user was the first thing the first computer scientists came up with, but they never tried to find a better solution. The businesses who profited most from the IT-boom where never interested in security or privacy and only implemented it as an afterthought. Now x decades later we still use the first authentication system that was implemented and nobody questions its validity or user friendliness.
Especially now with the rise of smartphone usage, difficult password become a nightmare. How many people are able to type those difficult passwords on such a small screen without making a mistake? And how many people to really remember all different passwords? If you don't want to carry a paper notebook where you write down your passwords, than you will probably save them in the notebook app on your smartphone. That's even something I do, passwords I only need occasionally are on a notebook that is synced with my smart phone. Someone who has access to my smart phone (like at the work floor when you put your phone down after a call, without locking the screen yourself) also has access to all my password in my notebook, including the puk-codes of my cell chip, the sets passwords of my work account, the passwords for the download area of expensive software, etc...
I know I have this problem. I personally do not care about loosing access to any of those services, the loss can be repaired and it has no emotional value. But my employer probably thinks different and that's why they require us to remember 16 passwords with at least 2 numbers, 2 lower case, 2 upper case, 2 special chars, no repetition of characters and at least 16 characters long that have to be changed every month. Of course nobody remembers them. Of course you write them down. Of course you no longer use a paper notebook, but a notebook on the cloud. Of course that difficult password is only as secure as the password of my notebook which is only as reverse secure as my trust in my colleagues and friends, who might have a peek in my notebook when I leave my desk without locking my screen. I do not lock my screen when I have to reenter those annoying passwords that I never can remember and need to save in my notebook which is now on the cloud...