Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST's Draft To Remove Periodic Password Change Requirements Gets Vendors' Approval (csoonline.com)

Posted by msmash on from the going-forward dept.

An anonymous reader writes: A recently released draft of the National Institute of Standards and Technology's digital identity guidelines has met with approval by vendors. The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies. The new framework recommends, among other things: "Remove periodic password change requirements." There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach.

25 of 149 comments (clear)

  1. Good move by phresno · · Score: 3, Interesting

    I welcome the return to sanity.

    1. Re:Good move by Anonymous Coward · · Score: 3, Insightful

      Yep. They do this where I work, which leaves me with very little choice but to write the password down on a little yellow sticky note because I'm forced to keep changing it to things I'll never remember.

    2. Re:Good move by Oswald+McWeany · · Score: 2

      Yep. They do this where I work, which leaves me with very little choice but to write the password down on a little yellow sticky note because I'm forced to keep changing it to things I'll never remember.

      Or you could do what most people do and keep the same password and affix "1" "2" "3" to the end of it every time they tell you to change your password.

      --
      "That's the way to do it" - Punch
    3. Re:Good move by known_coward_69 · · Score: 2

      even windows server won't let you do that with a simple AD configuration change

    4. Re:Good move by EvilSS · · Score: 3, Informative

      even windows server won't let you do that with a simple AD configuration change

      Just using "one" "two" "three" will usually be enough of a difference to get past most password uniqueness policies

      --
      I browse on +1 so AC's need not respond, I won't see it.
    5. Re:Good move by RightwingNutjob · · Score: 2, Interesting

      You know what? If I keep my stickie note in a safe with a controlled combo (just me and the site locksmith), that's better than a mess of key escrows and decryptable passwords and all the other MS junk that people who don't know any better pay money for.

      People who live their whole lives on the internet forget how damn difficult it is to hack and steal a piece of paper in a secure metal container. Actual hacksaws are required. That's real security that doesn't depend on some half-literate outsourcee in India not making a deliberate mistake.

    6. Re:Good move by Jason+Levine · · Score: 2

      While I do recommend password managers (I like Password Safe), what if your password is to log into the computer? Then, you can't access your password manager without the password you were going to look up.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    7. Re:Good move by Creepy · · Score: 2

      When I had my most restrictive password change rules, which were at least 8 characters, must contain 1 symbol and one #, no 3 characters could be the same, I found that I could just rotate the password and it worked fine because the text requirement meant in the same place. So at first I could have 1cadaver# and the next month cadaver#1 and the next month adaver#1c, etc. I used a far more complex password with no words though - words make for an easier example.

  2. What if... by freeze128 · · Score: 4, Insightful

    The point of periodic password changes is to protect against an *UNKNOWN* breach, where the password has been compromised and the user doesn't know. Is there some other method of mitigation for this attack?

    1. Re:What if... by PCM2 · · Score: 4, Interesting

      Multi-factor?

      --
      Breakfast served all day!
    2. Re:What if... by Obfuscant · · Score: 2

      Google's Sign-In and Security tools are a good example of this.

      Google is a wonderful example of good customer support. Yes. I just love getting an email from Google that tells me that someone has my password and tried to log in using my account from a new location and that they helpfully stopped the attempt.

      Except that in every case so far, that "someone" has been me, the "new location" was someplace I travel to on a semi-regular basis, and they apparently only block the first attempt because I've never noticed that I cannot access my email or calendar when they've reported they blocked the log-in attempt.

      Yes, Google. So helpful.

      Removing the password change requirement without providing such an access monitoring tool is a disaster in the making.

      Like the email I see after I've returned home, "access monitoring tools" are after-the-fact. Too late to prevent any significant problem.

      On the original topic: regular enforced password changes are not just a problem of remembering a new password. I find it a bigger problem that I have at least four devices that require this password to be configured into the email client, I don't use all four on a daily basis (sometimes a month goes by), and the email client does not have a glaring error notification that it couldn't log in. It is entirely possible that I'll pick up a tablet and use it for a couple of days and only after I switch back will I find out I missed a lot of email. Fortunately, currently only two sites I use have such policies. One is central IT at work who gets paid to do this kind of stuff, and the other is a government site. Work won't let me change and then change back; the government site will.

  3. Finally! by Lord+Kano · · Score: 3, Insightful

    My previous position was in a company that had a 45 day password expiry policy. My password was only as complex as it had to be to fit the rule but wasn't very good.

    My current position has a 6 month expiry. I use a much stronger password.

    This is common sense to me.

    LK

    --
    "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
    1. Re:Finally! by geekmux · · Score: 2

      My previous position was in a company that had a 45 day password expiry policy. My password was only as complex as it had to be to fit the rule but wasn't very good.

      My current position has a 6 month expiry. I use a much stronger password.

      This is common sense to me.

      LK

      You use a much stronger password. The average user would use "123456" and never change it unless a system forced them to.

      Understanding the behavior of the average user is common sense, especially when considering adapting this "new-and-improved" suggestion.

  4. Sudden breakout of common sense by Anonymous Coward · · Score: 3, Interesting

    Randomly generated password of any given strength has the same probability of being guessed as any another equivalently strong random password. Only reason for strong password change is breach. Oh, and, my favourite pet peeve: common requirement that passwords must have some minimum number of characters from few subsets of all printable characters actually makes them much weaker.

  5. Only works with single sign on by ErichTheRed · · Score: 3, Insightful

    If you have a really well-connected single sign on environment in place, standardizing on a single password that you have to change periodically makes sense. Where it breaks down is when you have a million passwords scattered across different services (internal or external.) If you have to change those over and over, you end up recycling passwords or writing them down, or storing them in a password vault tool (which is a bad idea given how many vulnerabilities have come to light on those.)

    In fact, with SSO systems like Google or Azure AD, it makes sense to protect that single key much more carefully than an individual password. For example, if someone guessed my corporate account's password or found a way to steal information from Microsoft without them knowing (or telling anyone,) my Azure AD account has a lot of access -- off the top of my head, from the naked Internet I can access my Exchange email, OneDrive, all the Azure resources I have control over, most of my HR vital data, access to Internet-facing applications, access to my MSDN and volume licensing stuff from Microsoft, and the list goes on. I'm OK with changing that password pretty frequently. If I had 50 of them to remember, not so much.

    The fact that the standards are being updated to reflect that it's much harder to steal passwords from properly secured systems these days and crack them offline is good though. Corporate security types tend to follow these rules verbatim regardless of whether they make operational sense.

  6. Sanity by LunaticTippy · · Score: 4, Insightful

    Thank goodness. Frequent changes entrench bad habits and culture. People are constantly getting locked out, forgetting password. Your culture becomes one of frequent password resets with idiotic questions to verify identity. These questions are usually trivially guessable/facebookable/googleable especially since people forget these all the time too. Many helpdesks will reset passwords via phone without verifying identity since they do it constantly with frustrated resentful users. Make passwords durable. Changing it without knowing the old one should be a big difficult deal.

    --
    Man, you really need that seminar!
  7. Re:The B word by Opportunist · · Score: 3, Informative

    Biometrics are great for identification, but very, very poor for authentication. As soon as this finally settles in, we can start talking about using it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Yeah it's terrible, but it's Windows by raymorris · · Score: 2

    > How would a properly secure and safe password system know if you new password is only slightly different than your old one?

    it wouldn't. A sane system would store a salted hash of the password, so a bad guy can't download ALL of your damn password.

    > If it can tell a minor change then it is not a good password setup

    Right, it's a Windows password setup. *nix systems were more secure than that in the 1970s.

    1. Re:Yeah it's terrible, but it's Windows by bws111 · · Score: 2

      No kidding. I was responding to the ridiculous statement that no secure password system could possibly know if your new password was similar to the old one, and the equally ridiculous statement that it is a Windows problem and nix doesn't have such problems.

  9. Ass Covering, Delusional Password Policies by FeelGood314 · · Score: 4, Informative

    Most users are expected to know 22 paswords

    Seriously, fuck you, to any site admin who contributes to this.

    Real people can remember 2 or three passwords and that is all they will bother to remember. They will have maybe 2 long term secure passwords for things they personally value (and guess what, work isn't one of those things) and they will reuse the same password or variants of it on every single other system they use. No user will memorize a new password if they are expected to change it regularly. They will create the easiest password possible that meets the systems requirements.
    This is universal and everyone knows it. The previous company I worked for was a well trusted security company with a policy of passwords that had to change every 90 days, use an uppercase letter, lower case letter, number, symbol and had to be at least 8 characters. I did a survey. Over 2 thirds of engineers and 6 out of 6 in HR admitted their password was a common 6 letter English word, first letter capitalized, a symbol and a number that they incremented.

  10. End to golf1, golf2, golf3...golf486 passwords by JoeyRox · · Score: 2

    Now I can keep golf486 and never have to use golf487.

    1. Re:End to golf1, golf2, golf3...golf486 passwords by awkScooby · · Score: 2

      Now I can keep golf486 and never have to use golf487.

      Pretty sure golfPentium comes after golf486.

  11. Well two things by Sycraft-fu · · Score: 4, Interesting

    1) If that is a big concern, use multi-factor. When real authentication security is important, multi-factor is important. You can't go and say an account is super important and needs high levels of protection but then refuse to go multi-factor.

    2) How long are you ok with an adversary having access to your systems? Is 6 months ok? 12? Those are usually what you see password change requirements set at. Are you really ok with someone having unauthorized access to your systems for 12 months, but that's it, any longer is an issue? Of course not. But to change it often enough to keep an unknown compromise to what you'd consider acceptable users would need to change passwords multiple times a day.

    1. Re:Well two things by amicusNYCL · · Score: 2

      A bigger annoyance than being forced to change your password is having the characters that you can use restricted. I can understand minimum complexity requirements, but I've seen some systems where the list of characters that I'm not allowed to use sounds like they're using my password to name a directory. I see no technical reason for restricting the list of possible characters, or the maximum length for that matter. When I find a system that tells me I can't use certain characters in a password that's an immediate red flag that these people are probably storing in plain text.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  12. Horrifying in what way? [Re:It's funny] by XXongo · · Score: 2

    But then we did a password audit and the results were horrifying.

    Horrifying in what way?

    Horrifying in that you discovered that the time and energy and lost work involved in enforcing useless password protocols came to many millions of dollars a year?