Password policies, forced password changes are bad.
-
The original FTC article, and ZDnet/Jack Schofield's take.
Basically, forcing users to change passwords often is terrible security on the human side. I've always thought as much, but rarely get actual evidence to back it up.
-
First link goes nowhere
-
I had one of my doctors kick this back at me a few years ago when I was making password policies for the company.
In the end I agreed that changing them frequently was stupid and that watching logs and locking users out after 5 bad attempts is much better.
At the time we went with 8 character Upper, Lower, and number password requirements. I would like to change that to 12 characters only Upper and Lower requirements... the Upper and Lower are only there to keep someone from making aaaaaaaaaaaa as their password.
-
/wtb FTC link.
-
@Dashrender said:
I had one of my doctors kick this back at me a few years ago when I was making password policies for the company.
In the end I agreed that changing them frequently was stupid and that watching logs and locking users out after 5 bad attempts is much better.
At the time we went with 8 character Upper, Lower, and number password requirements. I would like to change that to 12 characters only Upper and Lower requirements... the Upper and Lower are only there to keep someone from making aaaaaaaaaaaa as their password.
AAAAAaaaaa
-
@scottalanmiller said:
@Dashrender said:
I had one of my doctors kick this back at me a few years ago when I was making password policies for the company.
In the end I agreed that changing them frequently was stupid and that watching logs and locking users out after 5 bad attempts is much better.
At the time we went with 8 character Upper, Lower, and number password requirements. I would like to change that to 12 characters only Upper and Lower requirements... the Upper and Lower are only there to keep someone from making aaaaaaaaaaaa as their password.
AAAAAaaaaa
Will happen, but Windows AD does not have intelligent rules.
-
Just let them use pass phrases... I wish you could require a space in passwords.
-
@JaredBusch said:
@scottalanmiller said:
@Dashrender said:
I had one of my doctors kick this back at me a few years ago when I was making password policies for the company.
In the end I agreed that changing them frequently was stupid and that watching logs and locking users out after 5 bad attempts is much better.
At the time we went with 8 character Upper, Lower, and number password requirements. I would like to change that to 12 characters only Upper and Lower requirements... the Upper and Lower are only there to keep someone from making aaaaaaaaaaaa as their password.
AAAAAaaaaa
Will happen, but Windows AD does not have intelligent rules.
I know that. But forced complexity it's really much if any better. But the 12 character thing hasn't been approved yet.
-
@dafyre said:
Just let them use pass phrases... I wish you could require a space in passwords.
Yeah, I'd love requiring 16 plus.. but really I don't think 12 will likely fly.
-
@Dashrender said:
@dafyre said:
Just let them use pass phrases... I wish you could require a space in passwords.
Yeah, I'd love requiring 16 plus.. but really I don't think 12 will likely fly.
If they make it a phrase, they can easily remember it. Correct, Horse Battery Staple....
Whoops, now I gotta change my password.
-
Password polices are something that you have to make users deal with to a certain degree. I don't see anything really wrong with setting a policy that forces change but at some compromising level.
- Not same within 12 months
- Upper /Lower case
- Number / symbol
- Between 8 and 12 characters
Some systems have the ability (or at least I believe) to eliminate dictionary type attempts (all A's or numbers) - Lame duck type attempts. The system SHOULD be able to have a Screen Hint so that a user knows what they can and can't do. And when the system rejects the password, it should be stated as to why.
But maybe that is to logical.
-
This post is deleted! -
@aaron said:
People still remember passwords?
I would be able to tell you 2. The one for my laptop and the other for opening my password management application. Then there's a password in there for my second password management application. I really have no clue what most of the passwords are that I use. Aside from aaron12 that's super secure and better than the previous one of aaron11.
Makes written notes of @aaron's passwords.
Mine are sitting right here on my desk... you just have to determine what order they go in...
-
Gah, fixed the first link.
-
@gjacobse The point is that forcing people to change their password even just 4 times a year means they will forget them, and be forced into using poor choices and/or patterns. Like @aaron I only have 2 memorized anymore.
-
@travisdh1 said:
@gjacobse The point is that forcing people to change their password even just 4 times a year means they will forget them, and be forced into using poor choices and/or patterns. Like @aaron I only have 2 memorized anymore.
Using patterns of added or changing special checerters would be better. Either one still prevents the likely hood of a brute force (along with lock outs).
-
@Jason said:
@travisdh1 said:
@gjacobse The point is that forcing people to change their password even just 4 times a year means they will forget them, and be forced into using poor choices and/or patterns. Like @aaron I only have 2 memorized anymore.
Using patterns of added or changing special checerters would be better. Either one still prevents the likely hood of a brute force (along with lock outs).
Let me quote that FTC article for you. "I go on to explain that there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily." So using patterns just leaves you more vulnerable. IE They changed their password, bet they just replaced the # at the end with a !, oh, nope, it was an &. The actual data in the article is even more damming than my little example. "The UNC researchers found that for 17% of the accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than 5 guesses."
-
@Jason said:
@travisdh1 said:
@gjacobse The point is that forcing people to change their password even just 4 times a year means they will forget them, and be forced into using poor choices and/or patterns. Like @aaron I only have 2 memorized anymore.
Using patterns of added or changing special checerters would be better. Either one still prevents the likely hood of a brute force (along with lock outs).
that's the worst. That's what creates the security weaknesses that we commonly see today.
Far better to have one long, never changing passphrase than many short, regularly changing ones.
