NIST's Draft To Remove Periodic Password Change Requirements Gets Vendors' Approval (csoonline.com)

← Back to Stories (view on slashdot.org)

NIST's Draft To Remove Periodic Password Change Requirements Gets Vendors' Approval (csoonline.com)

Posted by msmash on Tuesday May 9, 2017 @04:00AM from the going-forward dept.

An anonymous reader writes: A recently released draft of the National Institute of Standards and Technology's digital identity guidelines has met with approval by vendors. The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies. The new framework recommends, among other things: "Remove periodic password change requirements." There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach.

149 comments

Min score:

Reason:

Sort:

Good move by phresno · 2017-05-09 04:03 · Score: 3, Interesting

I welcome the return to sanity.
1. Re:Good move by Anonymous Coward · 2017-05-09 04:07 · Score: 3, Insightful
  
  Yep. They do this where I work, which leaves me with very little choice but to write the password down on a little yellow sticky note because I'm forced to keep changing it to things I'll never remember.
2. Re:Good move by Oswald+McWeany · 2017-05-09 04:27 · Score: 2
  
  Yep. They do this where I work, which leaves me with very little choice but to write the password down on a little yellow sticky note because I'm forced to keep changing it to things I'll never remember.
  Or you could do what most people do and keep the same password and affix "1" "2" "3" to the end of it every time they tell you to change your password.
  
  --
  "That's the way to do it" - Punch
3. Re:Good move by known_coward_69 · 2017-05-09 04:30 · Score: 2
  
  even windows server won't let you do that with a simple AD configuration change
4. Re: Good move by Anonymous Coward · 2017-05-09 04:33 · Score: 0
  
  Except that little strategy is prevented at lots of larger employers.
5. Re:Good move by Frosty+Piss · 2017-05-09 04:35 · Score: 1
  
  Or you could do what most people do and keep the same password and affix "1" "2" "3" to the end of it every time they tell you to change your password.
  Many systems do not allow you the repeat sequences.
  
  --
  If you want news from today, you have to come back tomorrow.
6. Re:Good move by fahrbot-bot · 2017-05-09 04:43 · Score: 1
  
  Or you could do what most people do and keep the same password and affix "1" "2" "3" to the end of it every time they tell you to change your password.
  Many systems do not allow you the repeat sequences.
  I imagine he/she meant a rotating sequence of numbers to make it unique and non-repeating. However, many systems, while allowing long(er) passwords, limit the significant characters so I recommend putting the non-unique part first rather than last.
  
  --
  It must have been something you assimilated. . . .
7. Re:Good move by Anonymous Coward · 2017-05-09 04:51 · Score: 0
  
  How would a properly secure and safe password system know if you new password is only slightly different than your old one? If it can tell a minor change then it is not a good password setup
8. Re:Good move by EvilSS · 2017-05-09 04:51 · Score: 3, Informative
  
  even windows server won't let you do that with a simple AD configuration change
  Just using "one" "two" "three" will usually be enough of a difference to get past most password uniqueness policies
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
9. Re:Good move by UnknownSoldier · 2017-05-09 05:24 · Score: 1
  
  > d keep the same password and affix "1" "2" "3" to the end of it every time they tell you to change your password.
  That's retarded.
  Append the MonthYear that it expires on.
  i.e.
  
  Password0517
10. Re:Good move by UnknownSoldier · 2017-05-09 05:27 · Score: 1
  
  > very little choice but to write the password down on a little yellow sticky note
  Why aren't you using a password manager like KeePass or KeePassX and just remembering one passphrase to access all your other passwords???
  * http://keepass.info/
  * https://www.keepassx.org/
11. Re:Good move by RightwingNutjob · 2017-05-09 05:36 · Score: 2, Interesting
  
  You know what? If I keep my stickie note in a safe with a controlled combo (just me and the site locksmith), that's better than a mess of key escrows and decryptable passwords and all the other MS junk that people who don't know any better pay money for.
  
  People who live their whole lives on the internet forget how damn difficult it is to hack and steal a piece of paper in a secure metal container. Actual hacksaws are required. That's real security that doesn't depend on some half-literate outsourcee in India not making a deliberate mistake.
12. Re:Good move by Anonymous Coward · 2017-05-09 05:36 · Score: 0
  
  Well, judging by the news on Windows remote exploits, any kind of password on Windows is quite useless.
13. Re:Good move by jawtheshark · 2017-05-09 05:48 · Score: 1
  
  Use a mmyyyy postfix or prefix and get around that rule.
  
  --
  Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
14. Re:Good move by Anonymous Coward · 2017-05-09 05:55 · Score: 0
  
  There is only one password, my work password. I use it to log into all my work things. The only problem is the one password keeps changing and I can't be bothered to memorize it anymore. So it goes on a yellow sticky note in my desk, partially out of spite for the IT Sec's policies.
  Given the company director does the same thing, I am quite secure in my job.
15. Re:Good move by Jason+Levine · 2017-05-09 05:58 · Score: 1
  
  What I do is use the same base password and then vary special characters/capitalization. Then, I make a note about the capitalization/special characters used. For example, if my password was "Pass..word.", I'd note "C2L1" for "capital letter, two periods, lower case letter, one period." Nobody looking at my paper would know my password, but if I forgot the specific password, the paper would remind me what it currently is after the latest mandatory password change.
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
16. Re:Good move by Jason+Levine · 2017-05-09 06:01 · Score: 2
  
  While I do recommend password managers (I like Password Safe), what if your password is to log into the computer? Then, you can't access your password manager without the password you were going to look up.
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
17. Re:Good move by Anonymous Coward · 2017-05-09 06:08 · Score: 0
  
  Where I work our admin passwords are changed by the system to a new random 20 character password every 11 days. We have to log on with our non-admin account and use that to "check out" the crazy complex, impossible to easily remember password. Then it changes again 11 days later. Ridiculous.
18. Re:Good move by ls671 · 2017-05-09 06:31 · Score: 1
  
  That's interesting, I wonder how could AD do this without keeping the password un-hashed, e.g. more or less equal to keeping the password in plain text?
  
  --
  Everything I write is lies, read between the lines.
19. Re:Good move by ls671 · 2017-05-09 06:35 · Score: 1
  
  Great system because it stores the passwords un-hashed and unsalted somewhere.
  
  --
  Everything I write is lies, read between the lines.
20. Re:Good move by UnknownSoldier · 2017-05-09 06:39 · Score: 1
  
  I get that. I'm under the same retarded policy of mandatory password changes every X months as well.
  I use one master passphrase to access KeePass which has an entry for my job's password -- technically I have have a dozen passwords for my job but that is besides the point. I use Copy/Paste so I never have to remember ANY other passwords.
  On the day of renewal I do these steps:
  * @KeePass: I copy the current (old) password
  * Alt/Command Tab to switch to the change password prompt
  * @ChangePasswordPrompt: Paste the old password
  * Alt/Command Tab to switch to back to KeePass
  * @KeePass: I manually type in the new password, and then Copy/Paste the new password into the second verification field
  * Alt/Command Tab to switch to the password change Form
  * @ChangePasswordPrompt: Paste in the new password
  * @ChangePasswordPrompt: Press TAB, and manually type in the new password on the second verification line
  With shortcuts it is faster then tracking down a new sticky note, writing it down, tossing the old sticky note.
  > Given the company director does the same thing, I am quite secure in my job.
  I've also seen VP's use the same stupid yellow sticky note but just because some PHB (Pointy Haired Boss) is doing something stupid, doesn't mean you need to as well. You are BOTH security risks. Set a proper example and stop making excuses for crying out loud.
21. Re:Good move by Anonymous Coward · 2017-05-09 06:41 · Score: 0
  
  Damn! you gave the secret away! ;-)
22. Re:Good move by losfromla · 2017-05-09 06:43 · Score: 1
  
  Yeah, great idea! Because I always remember that!
  
  --
  Only I can judge you.
23. Re:Good move by losfromla · 2017-05-09 06:45 · Score: 1
  
  Yeah, lets see you remember 8 unique passwords on systems you don't use on a regular basis. Frikin snowflake!
  
  --
  Only I can judge you.
24. Re:Good move by losfromla · 2017-05-09 06:47 · Score: 1
  
  Company director probably has a locked door office and you don't, so, maybe you're not quite as secure as you imagine.
  
  --
  Only I can judge you.
25. Re:Good move by losfromla · 2017-05-09 06:48 · Score: 1
  
  Where did you say you worked? ;-)
  
  --
  Only I can judge you.
26. Re:Good move by UnknownSoldier · 2017-05-09 06:50 · Score: 1
  
  Great question! I _used_ to run into that issue to. There are a couple of different solutions:
  * You have a backup of your Password Manager on a different device, right? Though this does mean you now need to keep both copies in-sync.
  * I used to keep my computer password the same as my main password but I got tired of having to change that too so I've simplified the login computer password since it never changes:
  First off, my work password had the Month and Year appended like this: Password0517
  Second, my computer password, since it never expires, does NOT have the Month+year appended: Password
  * I never log off my computer -- I put it to sleep. I don't think I've logged out in months. For the odd time I need to reboot and re-login back in I use the "simple" password scheme above.
  You'll notice that the main work password has the Month and Year appended. Changing the last 4 digits means you will never run into the problem of recycling an old password. Plus it serves as a mnemonic for when it needs to change.
  Let's face it -- using a password is a slight inconvenience -- but we can mitigate most of the annoyances to a minimum.
27. Re:Good move by Anonymous Coward · 2017-05-09 06:51 · Score: 0
  
  Probably an appy phone app.
28. Re:Good move by UnknownSoldier · 2017-05-09 06:54 · Score: 1
  
  /oblg Can't tell if you are being sarcastic or not ...
  ... but why are you remembering a password in the first place?? Why aren't you using a password manager???
29. Re:Good move by Creepy · 2017-05-09 06:55 · Score: 2
  
  When I had my most restrictive password change rules, which were at least 8 characters, must contain 1 symbol and one #, no 3 characters could be the same, I found that I could just rotate the password and it worked fine because the text requirement meant in the same place. So at first I could have 1cadaver# and the next month cadaver#1 and the next month adaver#1c, etc. I used a far more complex password with no words though - words make for an easier example.
30. Re:Good move by losfromla · 2017-05-09 06:59 · Score: 1
  
  I put an "end sarcasm" tag at the end of my comment but it disappeared... I should have been more careful to try to force it to stay visible.
  I was being sarcastic. Password manager? Not allowed. The machines are all on separate networks. No can do.
  
  --
  Only I can judge you.
31. Re:Good move by Anonymous Coward · 2017-05-09 07:00 · Score: 1
  
  You have to input your old password to change to a new one.
32. Re:Good move by Anonymous Coward · 2017-05-09 07:04 · Score: 0
  
  Hey, That's my password !
33. Re:Good move by Anonymous Coward · 2017-05-09 07:05 · Score: 1
  
  You have to input your old password to change to a new one. And now it can compare it to the new one, before hashing it.
34. Re:Good move by DiSKiLLeR · 2017-05-09 07:36 · Score: 1
  
  Do you not realise how fucking easy it is to pick locks? Wow. Just wow.
  
  --
  You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
35. Re:Good move by slacktide · 2017-05-09 08:09 · Score: 1
  
  Because my employer will not allow me to. So instead, we all use easy to remember (and compromise) passwords.
36. Re:Good move by KiloByte · 2017-05-09 09:09 · Score: 1
  
  If the policy is limited to Levenshtein 1 or 2, you can just brute force the comparison.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
37. Re:Good move by GuB-42 · 2017-05-09 10:54 · Score: 1
  
  A good safe is not like a MasterLock No3.
  But the best thing about physical security is that someone has to get in there. A botnet won't automatically open your safe and take its content.
38. Re:Good move by Nunya666 · 2017-05-09 10:59 · Score: 1
  
  Because my employer will not allow me to. So instead, we all use easy to remember (and compromise) passwords.
  I thought only my employer was dumb enough to not allow password managers.
  
  Wait, are you the guy down the hall from me who doesn't get any work done because he's always on /.? Hmmm.
39. Re:Good move by Nunya666 · 2017-05-09 11:06 · Score: 1
  
  Given the company director does the same thing, I am quite secure in my job.
  Do you really think HR gives a damn about what the company director does when they fire you for not following procedures?
40. Re:Good move by DavidRawling · 2017-05-09 11:44 · Score: 1
  
  OK and just how do you log onto your computer so you can run KeePass, to extract the password so you can log onto the computer? Or does your computer automatically log on as you after patching? Or is it never patched at all and passwords are the least of your concerns?
41. Re:Good move by Anonymous Coward · 2017-05-10 00:56 · Score: 0
  
  Or it asks for the old password at the same time.
42. Re:Good move by UnknownSoldier · 2017-05-10 02:01 · Score: 1
  
  That truly sucks you have an bone-headed IT department with retarded security policies.
  Have you raised this issue with anyone? Your Boss, HR, IT, etc. ?
  Also, why can't you use KeePass on a personal device with stronger passwords? Do you work for certain government jobs where you are not allowed access to mobile devices?
43. Re:Good move by david_thornley · 2017-05-10 09:17 · Score: 1
  
  That doesn't work for a 30-day password rotation policy. You'll find yourself having to use 0217 at the end of January, and it will just keep getting out of sync.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
44. Re:Good move by david_thornley · 2017-05-10 09:19 · Score: 1
  
  How do I authenticate myself to the password manager? How do I log in so I can access the password manager?
  With one exception that I know of, my password is the same everywhere in the company already.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
45. Re:Good move by david_thornley · 2017-05-10 09:21 · Score: 1
  
  If I keep my sticky note on my desk it's pretty secure. They don't allow the public into my area, and my desk is pretty darn messy, so it's hard to find things on it if you're not me.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
46. Re:Good move by david_thornley · 2017-05-10 09:24 · Score: 1
  
  I don't have a separate work-related device, and I don't want to have to sync my work computer with anything I own. This means I have to have one password memorized for work. What I do is base my passwords on my role-playing games or my fiction, and my password sticky note isn't going to mean anything to anyone else.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
What if... by freeze128 · 2017-05-09 04:12 · Score: 4, Insightful

The point of periodic password changes is to protect against an *UNKNOWN* breach, where the password has been compromised and the user doesn't know. Is there some other method of mitigation for this attack?
1. Re:What if... by PCM2 · 2017-05-09 04:18 · Score: 4, Interesting
  
  Multi-factor?
  
  --
  Breakfast served all day!
2. Re:What if... by Anonymous Coward · 2017-05-09 04:18 · Score: 0
  
  Yes, active monitoring. After all changing the password periodically won't help if someone downloads all data as soon as they get the password knowing it will change soon.
3. Re:What if... by Anonymous Coward · 2017-05-09 04:26 · Score: 0
  
  How was the password first compromised? Is it in a store (pw keeper, written down, remote database, etc), or a common password? Or a guessable pattern? Does the change involve bumping a numeral?
  In order for rotating passwords to help:
  a) The breach would be undetected, which means that it could already be in use. The gap of time between the breach and the normal rotation change could be a whatever the policy change is (30/60/90/180 days, etc)
  AND
  b) The rotating password is random and the user has a very good memory OR
  c) The rotating password is random and the user puts it in a place that wasn't the place where the password was compromised from (unlikely, otherwise, how did they get it in the first place?)
  If not, then the user changing MyCoolPassword1 to MyCoolPassword2 is not likely to be of much help against a sophisticated attacker, or even an attacker that sat down and found an old sticky with MyCoolPassword1 on it.
  Strong, unguessable passwords and a sane way to keep them (and locked down - pw keeper where the master pw never leaves the system, offline, etc) plus 2FA is about the best you can do.
4. Re:What if... by Anonymous Coward · 2017-05-09 04:31 · Score: 1
  
  If you remove the periodic password change requirement, you must supply users with a tool that allows them to determine if there account is being used by others. Google's Sign-In and Security tools are a good example of this. I can view when and from where my account has been accessed and determine if I believe there has been a breach. If so, I can change my password.
  Removing the password change requirement without providing such an access monitoring tool is a disaster in the making.
5. Re:What if... by Anonymous Coward · 2017-05-09 04:33 · Score: 0
  
  Multi-factor authentication will help to prevent a breach, but will not let you know if a breach has occurred, which is the original point of periodic password changes (to protect against unknown breaches).
6. Re:What if... by Anonymous Coward · 2017-05-09 04:48 · Score: 0
  
  excellent point, but the probability of breaches occurring with frequent changes is a lot higher. Sort of like requiring seatbelts. You may burn to death in a hideous wreck, but the probability of saving your life is much higher. I would argue that if there is an unknown breach, frequent password changes is still useless. If a user changes his password, and the password was: Password24, what do you think the next guess is going to be?
7. Re:What if... by Anonymous Coward · 2017-05-09 05:10 · Score: 0
  
  Access logs tend to do a decent job of turning unknown breaches unto known ones, especially when combined with some heuristics to point out interesting anomalies.
8. Re:What if... by Anonymous Coward · 2017-05-09 05:16 · Score: 1
  
  Good morning freeze128. You last logged in 1 hour ago.
9. Re:What if... by Anonymous Coward · 2017-05-09 05:37 · Score: 0
  
  The point of periodic password changes is to protect against an *UNKNOWN* breach, where the password has been compromised and the user doesn't know. Is there some other method of mitigation for this attack?
  Regardless, security professionals should not be looking to mitigate every last risk. You need to balance the cost of mitigation against the cost of the risk. In this case, the mitigation causes a greatly increased risk of compromise, because forcing users to change passwords frequently causes them to throw out basic password hygiene. They write passwords down, use permutations, choose weaker passwords, email the passwords to themselves, etc. Sure, it's a mitigation against unknown compromise, but it greatly increases the risk of password compromise.
10. Re:What if... by Anonymous Coward · 2017-05-09 05:38 · Score: 1
  
  Numerous studies have shown that periodic password changes compound this problem rather than mitigate it. Users are more likely to reuse passwords/password patterns across sites when they have more to remember. And new passwords are typically trivial changes (incrementing a digit) so if the an password is compromised a bad actor can often easily guess the new one from the old one.
11. Re:What if... by Anonymous Coward · 2017-05-09 06:00 · Score: 0
  
  Password change after an *UNKNOWN* breach leaves you with a still compromised system but now with the added illusion of security. That's just great.
12. Re:What if... by Anonymous Coward · 2017-05-09 06:07 · Score: 0
  
  Multi-factor authentication will help to prevent a breach, but will not let you know if a breach has occurred, which is the original point of periodic password changes (to protect against unknown breaches).
  If "what you have" has gone missing, that's how you know...
13. Re:What if... by Anonymous Coward · 2017-05-09 06:22 · Score: 0
  
  A single day is a life time of access to most anything you'd want access to. Making someone change a password every 90 days might prevent someone from having continued access, then again if the users password was hunter7, most people are probably going to try hunter8 to continue having access. Most of the time it's going to work too.
14. Re:What if... by freeze128 · 2017-05-09 06:33 · Score: 1
  
  What if "what you have" is *NOT* missing, but someone has COPIED it?
15. Re:What if... by ls671 · 2017-05-09 06:38 · Score: 1
  
  Great, but you need to take for granted that users will care to look at that information.
  
  --
  Everything I write is lies, read between the lines.
16. Re:What if... by Lorens · 2017-05-09 06:47 · Score: 1
  
  That should not happen... it's kind of the point for "what you have" to not be copyable.
17. Re:What if... by yorgasor · 2017-05-09 06:51 · Score: 1
  
  The point of periodic password changes is to protect against an *UNKNOWN* breach, where the password has been compromised and the user doesn't know. Is there some other method of mitigation for this attack?
  Except, many times the new password is easily guessable if you knew the old password. Say the old password was: HelloWorld1, there's a pretty good chance the new password is HelloWorld2. If you use the complete set of NIST recommendations, you'll be in really good shape. MFA, a dictionary of common passwords and sets of known passwords from compromised systems (hackers will test against those before they bother brute forcing), and you'll be in pretty good shape.
  
  --
  Looking for a computer support specialist for your small business? Check out
18. Re:What if... by Anonymous Coward · 2017-05-09 07:00 · Score: 0
  
  Name one that isn't.
19. Re:What if... by Obfuscant · 2017-05-09 07:10 · Score: 2
  
  Google's Sign-In and Security tools are a good example of this.
  Google is a wonderful example of good customer support. Yes. I just love getting an email from Google that tells me that someone has my password and tried to log in using my account from a new location and that they helpfully stopped the attempt.
  Except that in every case so far, that "someone" has been me, the "new location" was someplace I travel to on a semi-regular basis, and they apparently only block the first attempt because I've never noticed that I cannot access my email or calendar when they've reported they blocked the log-in attempt.
  Yes, Google. So helpful.
  
  Removing the password change requirement without providing such an access monitoring tool is a disaster in the making.
  Like the email I see after I've returned home, "access monitoring tools" are after-the-fact. Too late to prevent any significant problem.
  On the original topic: regular enforced password changes are not just a problem of remembering a new password. I find it a bigger problem that I have at least four devices that require this password to be configured into the email client, I don't use all four on a daily basis (sometimes a month goes by), and the email client does not have a glaring error notification that it couldn't log in. It is entirely possible that I'll pick up a tablet and use it for a couple of days and only after I switch back will I find out I missed a lot of email. Fortunately, currently only two sites I use have such policies. One is central IT at work who gets paid to do this kind of stuff, and the other is a government site. Work won't let me change and then change back; the government site will.
20. Re:What if... by Anonymous Coward · 2017-05-09 07:40 · Score: 0
  
  Write only memory.
21. Re:What if... by Anonymous Coward · 2017-05-09 07:52 · Score: 0
  
  I just love getting an email from Google that tells me that someone has my password and tried to log in using my account from a new location and that they helpfully stopped the attempt.
  Except that in every case so far, that "someone" has been me, the "new location" was someplace I travel to on a semi-regular basis...
  If you don't use Google Authenticator, then the problem is you, not Google.
22. Re:What if... by Anonymous Coward · 2017-05-09 08:02 · Score: 0
  
  In my experience, the frequency of password changes has nothing to do with password hygiene.
  Some staff will take passwords seriously and some will not regardless of policy. Some will write them down and some will not regardless of policy. Some will use the same password for every account they have both personally and professionally (they will even explain this to your face) and some will not. Some staff simply cannot wrap their heads around concepts like usernames, passwords, domains, website (google) vs. the internet (also google in their minds).
  The same people point to password policy as a reason they write them down will write them down anyway.
23. Re:What if... by Anonymous Coward · 2017-05-09 08:17 · Score: 0
  
  We should meet. I got a warehouse full of read only blanks.
24. Re:What if... by Anonymous Coward · 2017-05-09 08:25 · Score: 0
  
  The original problem was "how do we limit the impact of an unknown breach?"
  The proposed solution was to require periodic password changes. Fast-forward 40-50 years when everyone has dozens if not hundreds of accounts rather than a select few having only one or two. Periodic password changes are now counterproductive.
  So, back to the ORIGINAL PROBLEM, how do we limit the impact of an unknown breach?
  Right now, two solutions are to provide access history to the end user and to provide multi-factor authentication. Neither are perfect and you give a good example of a problem with access histories (It WAS me, dammit!). You were also given the easy fix (TFA).
  But you are still missing the ORIGINAL PROBLEM.
25. Re:What if... by Anonymous Coward · 2017-05-09 08:36 · Score: 0
  
  Write only memory.
  /dev/null as a security token? Sounds like a 1 April dated RFC to me. Let's write it. You can be first author.
26. Re:What if... by dissy · 2017-05-09 08:52 · Score: 1
  
  The point of periodic password changes is to protect against an *UNKNOWN* breach, where the password has been compromised and the user doesn't know. Is there some other method of mitigation for this attack?
  As an attacker, I only need your password for about 60 seconds to get in and plant a persistent backdoor, after which I can gain access to everything that password granted but I no longer need your password.
  Do you enforce password changing for users every 59 seconds?
  If not, you are already not mitigating the effects of an unknown breach, so why have your users change passwords when it will not have the effect you are claiming no matter what they do?
  All you are doing is making users choose a very short predictable password scheme, typically two characters (one letter/number and one symbol), where the other 6 of 8 characters are the year and month.
  So in the end, you have failed to mitigate unknown breaches completely, and lowered your password lengths from 8 to 2 characters as the remainder are predictable.
27. Re:What if... by Darinbob · 2017-05-09 15:32 · Score: 1
  
  Changing passwords frequently will cause less security as the owners are much more likely to write down the passwords somewhere. I see some lab laptops (shared amongst a few workers) that have post-it notes on them with the bi-monthly password.
28. Re:What if... by Anonymous Coward · 2017-05-09 22:10 · Score: 0
  
  If the user does not use the information provided, that is strictly and solely the fault of the user, and not the system.
29. Re:What if... by Anonymous Coward · 2017-05-09 23:30 · Score: 0
  
  That's the intuitive idea, but it wasn't based on data. Now we have decades of evidence showing that frequent password updates have caused far more compromises than unknown breaches.
30. Re:What if... by Anonymous Coward · 2017-05-10 05:40 · Score: 0
  
  In my experience, the frequency of password changes has nothing to do with password hygiene.
  Some staff will take passwords seriously and some will not regardless of policy. Some will write them down and some will not regardless of policy. Some will use the same password for every account they have both personally and professionally (they will even explain this to your face) and some will not. Some staff simply cannot wrap their heads around concepts like usernames, passwords, domains, website (google) vs. the internet (also google in their minds).
  The same people point to password policy as a reason they write them down will write them down anyway.
  I can tell you that, personally, when I work in an environment that requires frequent changes, I choose worse passwords, because they are easier to remember. And, I am a security guy (albeit, machine-to-machine), and I do this. If you don't believe that incentivizing users against password hygiene changes their behavior (ala freakonomics), then there is no arguing with you. I'm a M2M security guy, I don't need to understand user psychology to do my job. But, I think many security people are woefully incorrect about user psychology.
31. Re:What if... by gmiller123456 · 2017-05-10 06:32 · Score: 1
  
  The point of periodic password changes is to protect against an *UNKNOWN* breach.
  This might make sense for things like e-mail or on-line banking passwords, but it's useless for an actual systems breach. If someone gets access to a system, it's far too easy to add a backdoor that will allow them in forever. Unfortunately the only way to recover from an unknown breach is to not have one in the first place.
32. Re:What if... by toddestan · 2017-05-12 15:26 · Score: 1
  
  One of those electronic keychain things that displays a sequence of random numbers that change every so often? Where you have to type in the number it's currently showing plus your password to log in.
Finally! by Lord+Kano · 2017-05-09 04:15 · Score: 3, Insightful

My previous position was in a company that had a 45 day password expiry policy. My password was only as complex as it had to be to fit the rule but wasn't very good.
My current position has a 6 month expiry. I use a much stronger password.
This is common sense to me.
LK

--
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
1. Re:Finally! by geekmux · 2017-05-09 05:01 · Score: 2
  
  My previous position was in a company that had a 45 day password expiry policy. My password was only as complex as it had to be to fit the rule but wasn't very good.
  My current position has a 6 month expiry. I use a much stronger password.
  This is common sense to me.
  LK
  You use a much stronger password. The average user would use "123456" and never change it unless a system forced them to.
  Understanding the behavior of the average user is common sense, especially when considering adapting this "new-and-improved" suggestion.
2. Re:Finally! by Anonymous Coward · 2017-05-09 05:39 · Score: 0
  
  Enforce a minimum password length of 12 characters and forget about all the other crap.
3. Re:Finally! by yodleboy · 2017-05-09 06:02 · Score: 1
  
  "The average user would use "123456"
  
  Implying that the system administrator has no control over password content, which is utterly untrue. I would HOPE that any company removing or extending password resets would be doing that, if they aren't already. Where I work, passwords have to follow specific formatting and content rules and can't match old passwords (going back what I consider to be a ridiculous amount of time).
4. Re:Finally! by Creepy · 2017-05-09 06:59 · Score: 1
  
  Still far too many easy ones that way. A friend of mine I've seen use asdfjkl;asdf for 12 characters with a 1 symbol or number requirement and I'm sure he's not alone.
5. Re:Finally! by Elric55 · 2017-05-09 08:13 · Score: 1
  
  My previous position was in a company that had a 45 day password expiry policy. My password was only as complex as it had to be to fit the rule but wasn't very good.
  My current position has a 6 month expiry. I use a much stronger password.
  This is common sense to me.
  LK
  You use a much stronger password. The average user would use "123456" and never change it unless a system forced them to.
  Understanding the behavior of the average user is common sense, especially when considering adapting this "new-and-improved" suggestion.
  If your implying that the average user will only do the bare minimum then it's very easy to assume what the user will do with their passphrase.
  For example if you tell the user they must include an uppercase letter the user will have this at the beginning of their password. If you tell the user they need a special character they will more than likely include this and the number at the end of their password or as a different character within the passphrase (ie substitute 3 for e).
  The argument here is that the "bad guy" already knows how users generate their passphrases given guidelines and if a user knows they will need to update it every X amount of time it will not be very complex. Therefore, to create a very complex password once, making it easy to remember, and to prevent the user from writing down their passphrase (issue with physical security)
  Some additional readings:
  https://www.schneier.com/essays/archives/2014/02/choosing_a_secure_pa.html
  http://www.jbonneau.com/doc/BS12-USEC-passphrase_linguistics.pdf
6. Re:Finally! by geekmux · 2017-05-09 23:41 · Score: 1
  
  "The average user would use "123456" Implying that the system administrator has no control over password content, which is utterly untrue. I would HOPE that any company removing or extending password resets would be doing that, if they aren't already. Where I work, passwords have to follow specific formatting and content rules and can't match old passwords (going back what I consider to be a ridiculous amount of time).
  Sure, I'd prefer multi-factor authentication with dedicated security tokens as a fix to all of this, but short of that, employing users smart enough to remember a decent passphrase, and not write the damn thing down every time they are forced to change it would be a more valid solution than the shit NIST is now recommending, all because users are incapable of the burden of good security practice.
  And password security settings are only as good as the management team that supports it. Years ago, I worked for a company where the CEO demanded he have no password (as in blank) when "authenticating", which essentially removed the ability to mandate minimum character lengths or complexity. He too, saw password requirements as "ridiculous."
Sudden breakout of common sense by Anonymous Coward · 2017-05-09 04:16 · Score: 3, Interesting

Randomly generated password of any given strength has the same probability of being guessed as any another equivalently strong random password. Only reason for strong password change is breach. Oh, and, my favourite pet peeve: common requirement that passwords must have some minimum number of characters from few subsets of all printable characters actually makes them much weaker.
1. Re:Sudden breakout of common sense by Elric55 · 2017-05-09 08:15 · Score: 1
  
  Exactly, if the "bad guy" knows what the key length must be he can assume that that will be the most of the users (if not all) key length and start with that number. IE start with minimum 8 characters instead of 1.
PCI by Anonymous Coward · 2017-05-09 04:21 · Score: 0

Great, now if only PCI requirements in the UK came into line. I would be a very happy bunny indeed
Only works with single sign on by ErichTheRed · 2017-05-09 04:22 · Score: 3, Insightful

If you have a really well-connected single sign on environment in place, standardizing on a single password that you have to change periodically makes sense. Where it breaks down is when you have a million passwords scattered across different services (internal or external.) If you have to change those over and over, you end up recycling passwords or writing them down, or storing them in a password vault tool (which is a bad idea given how many vulnerabilities have come to light on those.)
In fact, with SSO systems like Google or Azure AD, it makes sense to protect that single key much more carefully than an individual password. For example, if someone guessed my corporate account's password or found a way to steal information from Microsoft without them knowing (or telling anyone,) my Azure AD account has a lot of access -- off the top of my head, from the naked Internet I can access my Exchange email, OneDrive, all the Azure resources I have control over, most of my HR vital data, access to Internet-facing applications, access to my MSDN and volume licensing stuff from Microsoft, and the list goes on. I'm OK with changing that password pretty frequently. If I had 50 of them to remember, not so much.
The fact that the standards are being updated to reflect that it's much harder to steal passwords from properly secured systems these days and crack them offline is good though. Corporate security types tend to follow these rules verbatim regardless of whether they make operational sense.
1. Re:Only works with single sign on by martinfb · 2017-05-10 09:31 · Score: 1
  
  I don't think it even helps with single sign-on.
  
  Breaches are are no more or less frequent whether passwords are changed regularly or not.
  So, being forced to change a password regularly only forces users to be forced to record them, often in more than 1 place.
  Which, in itself, actually increases risk!
  
  --
  
  Self-importance and self-indulgence is the root of ALL evil.
Everyone post your current password by Anonymous Coward · 2017-05-09 04:23 · Score: 0

Everyone post your current password, mine is: *******
1. Re:Everyone post your current password by Oswald+McWeany · 2017-05-09 04:28 · Score: 1
  
  password123
  
  --
  "That's the way to do it" - Punch
2. Re:Everyone post your current password by omnichad · 2017-05-09 04:58 · Score: 1
  
  hunter2
3. Re:Everyone post your current password by OrangeTide · 2017-05-09 05:57 · Score: 1
  
  swordfish
  
  --
  “Common sense is not so common.” — Voltaire
4. Re:Everyone post your current password by kaatochacha · 2017-05-15 09:48 · Score: 1
  
  Correct Horse Battery Staple
Management Reaction.. by sqorbit · 2017-05-09 04:26 · Score: 1

I'll walk into my upper management and tell them I'm going to remove the 90 day requirement to change passwords. I'm sure that will go over well. I'd probably be asked about my sanity and they might question my skills as a network admin. This is great if you understand it. Upper management at many companies will not like this and have been "trained" to believe the rotating passwords is a must for a secure environment.

--
Sent from my TARDIS
1. Re:Management Reaction.. by Moof123 · 2017-05-09 04:46 · Score: 1
  
  I would welcome management that was actually in tune with our password insanity. Some logins are 3 months, some never, and most have different sets of rules as to min or max length, characters, etc.
  I have different logins/passwords for:
  Windows
  Linux
  Travel
  Payroll
  Proxy
  Training (forgot)
  IM (forgot)
  Our internal Facebook clone (forgot)
  VPN
  Internal cloud storage (forgot)
  Building entry code
  Laptop encryption
  and a couple more (counted 14 total a while back, but now I forgot some).
  Guess how many of those are good and strong and not following a clear pattern?
2. Re:Management Reaction.. by geekmux · 2017-05-09 05:05 · Score: 1
  
  I would welcome management that was actually in tune with our password insanity. Some logins are 3 months, some never, and most have different sets of rules as to min or max length, characters, etc.
  I have different logins/passwords for: Windows Linux Travel Payroll Proxy Training (forgot) IM (forgot) Our internal Facebook clone (forgot) VPN Internal cloud storage (forgot) Building entry code Laptop encryption and a couple more (counted 14 total a while back, but now I forgot some).
  Guess how many of those are good and strong and not following a clear pattern?
  Sounds like what you should actually welcome is a password manager. I couldn't tell you any of my own passwords even under duress because I use a system where I don't have to remember any of my passwords (and could never do so, since they're obscenely complex and well beyond any recommended length). Two-factor protection is in front of that system, with a single complex passphrase to remember.
  Makes life a hell of a lot easier.
3. Re:Management Reaction.. by Anonymous Coward · 2017-05-09 05:42 · Score: 0
  
  I'll walk into my upper management and tell them I'm going to remove the 90 day requirement to change passwords. I'm sure that will go over well. I'd probably be asked about my sanity and they might question my skills as a network admin.
  This is great if you understand it. Upper management at many companies will not like this and have been "trained" to believe the rotating passwords is a must for a secure environment.
  Congratulations, you have a shitty job. We don't all have shitty jobs. I don't even work in IT, but I am a security engineer for the electronics projects. People where I work listen to each other, particularly when talking to someone who knows the material well. It's unfortunate you have PHBs who know better than the domain expert staff they have hired. We don't all live that life. I have been pushing for my company to remove password change requirements, and this is much needed backup from NIST.
4. Re:Management Reaction.. by Creepy · 2017-05-09 08:00 · Score: 1
  
  I use a mnemonic that depends on the web site name usually. That backfires on places that own multiple sites like gamespot owns gamefaqs and uses the same password, so I have to remember where I registered it. The good thing is I don't use the same password or a password manager, the bad is you could figure out my passwords through cryptoanalysis. That said, I rely on the relatively low sample size of the password itself for having any decoding ability, plus there are always some seemingly random characters and numbers thrown in. If you don't have the key for those characters and numbers and their placement you probably aren't cracking any other password of mine.
  As for two factor, that is what my work uses. I really don't worry about that password, even though I have to change it every 35 days. If you don't have my physical keycard and the PIN code, you probably aren't getting in.
Thank God by gurps_npc · 2017-05-09 04:27 · Score: 1

Honestly, if you aren't doing two factor at a MINIMUM, then you are wasting massive amounts of time and money in security theater.
By combining a physical token, even a cellphone, you get far more security then depending on something that is most likely written down.

--
excitingthingstodo.blogspot.com
1. Re:Thank God by muffen · 2017-05-09 04:38 · Score: 1
  
  By combining a physical token, even a cellphone, you get far more security then depending on something that is most likely written down.
  So, you enable two-factor where you get an SMS, or add your mobile number to facebook / google, then you drop your mobile phone, which doesnt have a pin for the simcard. Someone finds the phone, takes the sim out, figures out the number, does a password reset in facebook / google using only the mobile number, and now basically owns you because they have access to your gmail / facebook accounts, and can password reset pretty much every account you have. Any SMS based 2-factor is also toast.
  
  Security is always just as good as the weakest link, and two-factor is no magic bullet for password issues...
2. Re:Thank God by Anonymous Coward · 2017-05-09 04:49 · Score: 0
  
  There are software tokens available to use on cell phones. RSA and FreeOTP come to mind.
3. Re:Thank God by gurps_npc · 2017-05-09 04:53 · Score: 1
  
  First, cellphone is the worst two factor, not the advisable one.
  Second you do NOT use the same password - two factor or otherwise for Facebook, Google, and work. If it is a work two factor, then there IS a password in the sim, because people aren't as stupid as you think they are.
  Third, the time limit is pretty steep as you need to use most passwords daily. It is most likely attached to your keychain, not in your phone. In any case, It is extremely UNLIKELY that you won't notice it is gone within 12 hours, and one call cancels it.
  Fourth, it is not a SINGLE factor token, it is a TWO FACTOR password. As in one factor is the token, and a second factor is a SEPARATE, short password that you have to memorize.along with possesing the token.
  You are correct that two factor is not a magic bullet, but it is far better than the crap we currently use, especially the horrible password requirements that make it EASIER to be hacked, while making the foolish user think they are safer.
  Any security system that is perfect will eventually make your data locked and unuseable. We are not looking for no risk, but a system that gets rid of the right risk. Current password systems get rid of the wrong risks.
  A two factor system does a good job of getting rid of some of the right risks.
  
  --
  excitingthingstodo.blogspot.com
4. Re:Thank God by Elric55 · 2017-05-09 08:26 · Score: 1
  
  By combining a physical token, even a cellphone, you get far more security then depending on something that is most likely written down.
  So, you enable two-factor where you get an SMS, or add your mobile number to facebook / google, then you drop your mobile phone, which doesnt have a pin for the simcard. Someone finds the phone, takes the sim out, figures out the number, does a password reset in facebook / google using only the mobile number, and now basically owns you because they have access to your gmail / facebook accounts, and can password reset pretty much every account you have. Any SMS based 2-factor is also toast.
  Security is always just as good as the weakest link, and two-factor is no magic bullet for password issues...
  As I was just about to post how NIST recommended against 2FA using SMS it appears they updated their drafted guidelines today. Guess wait and see what the outcome is.
The B word by Anonymous Coward · 2017-05-09 04:35 · Score: 0

It was a good article until it started suggesting biometrics. Yeah, that's just what I want is a password that can't ever be changed!
1. Re:The B word by Opportunist · 2017-05-09 04:59 · Score: 3, Informative
  
  Biometrics are great for identification, but very, very poor for authentication. As soon as this finally settles in, we can start talking about using it.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:The B word by Anonymous Coward · 2017-05-09 08:36 · Score: 0
  
  Not always true. Here's a few examples:
  1.) Fingerprints. One of mine changed when I put an exacto knife through it as a kid. Now there are two scars. A friend of mine used to have fingerprints but now doesn't - he plays bass guitar.
  2.) Bone density scanners. Bone density changes over time. Particularly in women and others that do not get enough calcium.
Thank GOD by lactose99 · 2017-05-09 04:39 · Score: 1

I'm ok with this

--
Fully licensed blockchain psychiatrist
this, oh my god, this by Anonymous Coward · 2017-05-09 04:46 · Score: 0

I have a lot of accounts, and I use different passwords for nearly all of them. Usually some combination of words and letters for the common ones, like "Crazy764Horse", and random gibberish for less commonly used ones (that I will use the password manager for if I need to log in).
I never have a problem remembering the ones I am meant to remember, except the ones that require me to change my password. They also always manage to do it at the very most inconvenient time, and so I am changing my password just so I can log in, and then I end up forgetting it, or losing the scrap of paper, or I put it in the password manager but somehow it doesn't work later, etc.
What happens when you ASS-U-ME by geekmux · 2017-05-09 04:48 · Score: 1

"... this guideline was suggested because passwords should be changed when a user wants to change it...
Here let me tell you how often a user wants to change their password.
Never.
Oh wait, that's not quite right.
Fucking Never.
Perhaps NIST should learn to factor the security impact when they ASS-U-ME what users want to do.
1. Re:What happens when you ASS-U-ME by freeze128 · 2017-05-09 06:39 · Score: 1
  
  When a user sees that someone wrote a nasty email to his boss on his behalf, he will *WANT* to change his password!
2. Re:What happens when you ASS-U-ME by geekmux · 2017-05-09 23:31 · Score: 1
  
  When a user sees that someone wrote a nasty email to his boss on his behalf, he will *WANT* to change his password!
  Give me a break. People that have had their fucking identity stolen don't even want to change their password, because "tinkerbell" has been the same password [special snowflake] has had since grade school.
  We read about how bad passwords are often the root cause of many security issues today, and yet the "top 10" list of bad passwords hasn't really changed in decades.
  This tends to highlight just how much the average user doesn't give a shit about practicing good security.
2-factor can cost 10 cents per login by tepples · 2017-05-09 04:52 · Score: 1

By combining a physical token, even a cellphone, you get far more security then depending on something that is most likely written down.
When done poorly, the user needs to pay a dime to his cellular carrier every time he logs in. Low-end cellular plans in NIST's home country charge for both sending and receiving text messages.
Google Authenticator and other TOTP apps can be used without charge provided the service supports TOTP and the user carries a device that can run a TOTP app. But I know several people who still carry flip phones that have no TOTP app. And last time I checked, Twitter's second factor supported only SMS, not TOTP.
Sanity by LunaticTippy · 2017-05-09 04:58 · Score: 4, Insightful

Thank goodness. Frequent changes entrench bad habits and culture. People are constantly getting locked out, forgetting password. Your culture becomes one of frequent password resets with idiotic questions to verify identity. These questions are usually trivially guessable/facebookable/googleable especially since people forget these all the time too. Many helpdesks will reset passwords via phone without verifying identity since they do it constantly with frustrated resentful users. Make passwords durable. Changing it without knowing the old one should be a big difficult deal.

--
Man, you really need that seminar!
1. Re:Sanity by Obfuscant · 2017-05-09 07:25 · Score: 1
  
  Your culture becomes one of frequent password resets with idiotic questions to verify identity.
  One of the airline sites I use has a policy that if you've not logged in for a certain length of time, or you're using a computer it hasn't seen before, you have to answer idiotic security questions to get on. Unfortunately, it does very poorly at remembering computers so every time I'm logging in at home to check in for a flight, e.g., I have to go through the questions. The questions are also multiple choice and few of them have the correct answer as one of the possible answers.
  Heh, I thought, I'll just select the first option when I set up the answers. Ha! they said -- they randomize the answers so what was first isn't always first when they ask. But alphabetically, first is still first. Yes, I do prefer artichokes over icecream. And my childhood pet was an aardvaark.
It's funny by kilodelta · 2017-05-09 05:00 · Score: 1

At one place I worked we had a deep discussion on password change periods. We all sort of agreed on once every six months. But then we did a password audit and the results were horrifying.
1. Re:It's funny by Whorhay · 2017-05-09 05:50 · Score: 1
  
  I found a personal account for a user that had been using the same password for 14 years. He'd call in whenever it expired and convince someone to reset the timer for him. I think it makes sense for most systems to not bother ever expiring passwords, in other cases though changing them every quarter might be warranted. It really should depend on the importance of the data exposed in the system and the likelihood of a bad actor attempting to harvest passwords.
2. Re:It's funny by Obfuscant · 2017-05-09 07:29 · Score: 1
  
  I found a personal account for a user that had been using the same password for 14 years.
  For some systems, I have a password I first created 30 years ago.
3. Re:It's funny by Anonymous Coward · 2017-05-09 08:48 · Score: 0
  
  Most people measure subjective importance rather than objective importance. Their doctor better use a strong password on their HIPAA information because that is important and they don't deal with the burden. The same people will use weak passwords on their own client's HIPAA because it isn't their information and they do deal with the burden.
  Who exactly determines the importance of the data? Often, others already have and know about the subjective measurements made by those entering the passwords. This is why the policy exists in the first place. We can argue if the policy makes sense or not but remember to ask the question objectively rather than only from the end user perspective.
Yeah it's terrible, but it's Windows by raymorris · 2017-05-09 05:02 · Score: 2

> How would a properly secure and safe password system know if you new password is only slightly different than your old one?
it wouldn't. A sane system would store a salted hash of the password, so a bad guy can't download ALL of your damn password.
> If it can tell a minor change then it is not a good password setup
Right, it's a Windows password setup. *nix systems were more secure than that in the 1970s.
1. Re:Yeah it's terrible, but it's Windows by Anonymous Coward · 2017-05-09 07:11 · Score: 0
  
  > How would a properly secure and safe password system know if you new password is only slightly different than your old one?
  it wouldn't. A sane system would store a salted hash of the password, so a bad guy can't download ALL of your damn password.
  A sane system let's you identify yourself, before changing the password. And thus now knows your old password in plain text.
  
  > If it can tell a minor change then it is not a good password setup
  Right, it's a Windows password setup. *nix systems were more secure than that in the 1970s.
  Any unix system worth its salt with a rotating password scheme does the same.
2. Re:Yeah it's terrible, but it's Windows by Anonymous Coward · 2017-05-09 07:34 · Score: 0
  
  > How would a properly secure and safe password system know if you new password is only slightly different than your old one?
  it wouldn't. A sane system would store a salted hash of the password, so a bad guy can't download ALL of your damn password.
  Sadly this doesn't work with Kerberos currently, where the password (equivalent) is used to sign the TGT with symmetric encryption.
  This could probably be solved if Kerberos was extended to use SRP, where you can mutually verify, agree on a session key, and not have to store a clear-text (equivalent) value. SCRAM can probably accomplish something similar.
3. Re:Yeah it's terrible, but it's Windows by bws111 · 2017-05-09 08:12 · Score: 1
  
  Weirdly enough, every time I change my Linux password it asks for my CURRENT password, then the NEW password, and immediately complains if they are too similar. I wonder how they manage to do that?
4. Re:Yeah it's terrible, but it's Windows by spitzak · 2017-05-09 09:31 · Score: 1
  
  Because you just typed in both passwords and it remembered them?
5. Re:Yeah it's terrible, but it's Windows by bws111 · 2017-05-09 10:14 · Score: 2
  
  No kidding. I was responding to the ridiculous statement that no secure password system could possibly know if your new password was similar to the old one, and the equally ridiculous statement that it is a Windows problem and nix doesn't have such problems.
6. Re:Yeah it's terrible, but it's Windows by spitzak · 2017-05-10 06:48 · Score: 1
  
  Sorry. The level of intelligence on SlashDot has dropped so much that you may need to more clearly indicate that something is satire. I really thought it was a sincere statement by an idiot.
Ass Covering, Delusional Password Policies by FeelGood314 · 2017-05-09 05:15 · Score: 4, Informative

Most users are expected to know 22 paswords

Seriously, fuck you, to any site admin who contributes to this.

Real people can remember 2 or three passwords and that is all they will bother to remember. They will have maybe 2 long term secure passwords for things they personally value (and guess what, work isn't one of those things) and they will reuse the same password or variants of it on every single other system they use. No user will memorize a new password if they are expected to change it regularly. They will create the easiest password possible that meets the systems requirements.
This is universal and everyone knows it. The previous company I worked for was a well trusted security company with a policy of passwords that had to change every 90 days, use an uppercase letter, lower case letter, number, symbol and had to be at least 8 characters. I did a survey. Over 2 thirds of engineers and 6 out of 6 in HR admitted their password was a common 6 letter English word, first letter capitalized, a symbol and a number that they incremented.
End to golf1, golf2, golf3...golf486 passwords by JoeyRox · 2017-05-09 05:17 · Score: 2

Now I can keep golf486 and never have to use golf487.
1. Re:End to golf1, golf2, golf3...golf486 passwords by OrangeTide · 2017-05-09 05:58 · Score: 1
  
  Technically shouldn't your golf score go down?
  
  --
  “Common sense is not so common.” — Voltaire
2. Re:End to golf1, golf2, golf3...golf486 passwords by awkScooby · 2017-05-09 08:20 · Score: 2
  
  Now I can keep golf486 and never have to use golf487.
  Pretty sure golfPentium comes after golf486.
3. Re:End to golf1, golf2, golf3...golf486 passwords by Anonymous Coward · 2017-05-09 09:50 · Score: 0
  
  This is a phony comment. Everyone knows golfers use bogey123, not golf123.
Well two things by Sycraft-fu · 2017-05-09 05:26 · Score: 4, Interesting

1) If that is a big concern, use multi-factor. When real authentication security is important, multi-factor is important. You can't go and say an account is super important and needs high levels of protection but then refuse to go multi-factor.
2) How long are you ok with an adversary having access to your systems? Is 6 months ok? 12? Those are usually what you see password change requirements set at. Are you really ok with someone having unauthorized access to your systems for 12 months, but that's it, any longer is an issue? Of course not. But to change it often enough to keep an unknown compromise to what you'd consider acceptable users would need to change passwords multiple times a day.
1. Re:Well two things by amicusNYCL · 2017-05-09 05:50 · Score: 2
  
  A bigger annoyance than being forced to change your password is having the characters that you can use restricted. I can understand minimum complexity requirements, but I've seen some systems where the list of characters that I'm not allowed to use sounds like they're using my password to name a directory. I see no technical reason for restricting the list of possible characters, or the maximum length for that matter. When I find a system that tells me I can't use certain characters in a password that's an immediate red flag that these people are probably storing in plain text.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
2. Re:Well two things by PCM2 · 2017-05-09 06:15 · Score: 1
  
  Agreed. Frankly, I see no reason why I shouldn't be able to set my password to "By the time you guess this password, I will have quit my job." I type fast enough that it wouldn't bother me.
  
  --
  Breakfast served all day!
3. Re:Well two things by ls671 · 2017-05-09 06:40 · Score: 1
  
  yep, passphrase and really good entropy wise and easy to remember.
  
  --
  Everything I write is lies, read between the lines.
4. Re:Well two things by freeze128 · 2017-05-09 06:42 · Score: 1
  
  Where do you people work?
  
  2FA is fine for logging into gmail or twitter, but if you work at a small business that has an IBM mainframe, a Novell Server, or an Active Directory, then it just doesn't make financial sense to implement that. Guess what? Periodic password changes are CHEAP. 2FA is EXPENSIVE.
5. Re:Well two things by AF_Cheddar_Head · 2017-05-09 09:18 · Score: 1
  
  DoD smart card authentication is expensive but works well on the admin netowrks.
  But:
  Many Mission Systems don't support it.
  Certificates have a tendency to expire at the worst time.
  Network system administrators required multiple certificates, one for each account.
  Virtual infrastructure doesn't do the best job of supporting them.
  Latency can cause using certificate based authentication to remote systems to fail.
6. Re:Well two things by Swave+An+deBwoner · 2017-05-09 12:44 · Score: 1
  
  Careful! Those predictions have a way of backfiring.
  
  ... [Comey] said the cost of the phone hacking tool was "more than I will make in the remainder of this job, which is seven years and four months, for sure.''
  
  http://www.chicagotribune.com/news/nationworld/ct-james-comey-fired-20170509-story.html
7. Re:Well two things by Agripa · 2017-05-09 23:40 · Score: 1
  
  And when the password rules forbid 4419f20fae1b677d393910b43a?
  What purpose does that serve?
8. Re:Well two things by Agripa · 2017-05-09 23:44 · Score: 1
  
  A bigger bigger annoyance than that is when the password validation during creation allows a longer length than the password validation during use.
Better to draft the removal of NIST by micahraleigh · 2017-05-09 06:07 · Score: 1

NIST just realized how irrelevant they are and how they would bankrupt any company that didn't have the US federal governments funding.
Horrifying in what way? [Re:It's funny] by XXongo · 2017-05-09 06:32 · Score: 2

But then we did a password audit and the results were horrifying.
Horrifying in what way?
Horrifying in that you discovered that the time and energy and lost work involved in enforcing useless password protocols came to many millions of dollars a year?
Just mean to users by budsetr · 2017-05-09 06:35 · Score: 1

That policy was just mean to the users and required us admins to reset passwords all the time. Personally I disable these requirements. When banks tell me we need password changes I tell them we are using a much more robust security system. When they ask what my security measures are I inform them that have attempted a phishing attack on my network and the call will be automatically disconnected.
Daily by XXongo · 2017-05-09 06:39 · Score: 1

Third, the time limit is pretty steep as you need to use most passwords daily.
Where the hell did you get that incorrect piece of information?
The average user has 22 passwords. You don't use all of these every day. I have passwords I use ever day, passwords I use twice week, passwords I use once a week, passwords I use once a month, and a whole pile of passwords I use when needed which may or may not be twice a week or once in a year.