
FTC CTO: Time to Rethink Mandatory Password Changes - hmahncke
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
======
makecheck
It’s nice to see these things resolved in studies but I thought the outcomes
were rather predictable.

In the case of security, it isn’t enough to have a policy-maker be passionate
about solving a problem. Simply _having_ a policy (read: obstacle to getting
work done) will not automatically instill passion in everybody else to solve
the same problem. Instead, people will find the least-effort solution to _work
around the obstacle_! Basic password transformations and/or writing passwords
down should therefore have been anticipated by any “security expert” long
before recommending frequent password changes.

Now, imagine this alternate approach:

\- Educate everyone on passwords, emphasizing the length. The idea is to get
users invested in the problem of security instead of just making a policy.

\- Set up the system to reject any password less than 25 characters.

\- Aside from length, _no_ character restrictions. In fact, multiple spaced
words (“pass phrase”) are strongly encouraged. Employees are encouraged to
make their passwords memorable nonsense sentences such as “chair bleak elf
combination” and so forth. Mobile interfaces are then designed to make it easy
to search dictionary words (because so many people will be using them to enter
very long passwords). In other words, build the system to make it easy to do
what people will probably try to do anyway but make it secure.

\- Passwords are not required to change as frequently as every quarter. Maybe
once a year.

\- Systems are set up to periodically require 2nd-factor authentication
mechanisms, such as one-time text messages or E-mails.

