
Password expiration is dead, long live passwords - davidgh
https://techcrunch.com/2019/06/02/password-expiration-is-dead-long-live-your-passwords/
======
Jaruzel
Shifting from passwords to more secure systems such as MFA ignores the
elephant in the room about passwords that no-one wants to acknowledge: People
share passwords.

A simple example is this: A couple do online grocery shopping every week or
so, depending who has time to do it, one them will log into the 'account' and
build the basket. Maybe the other will then amend the basket a few hours later
before the cut off time. With enforced MFA, this is not possible.

There will always be a small percentage of situations where '1 person = 1
account' will never be true. Until providers add the concept of multi-logins
to the same 'account' on their systems you can't wholesale move to stronger
security methods.

I have the same issue with all these 'smart home' products that need an app
installed onto a phone or tablet. A lot of them are bound to a single account,
which means if other people in the household also want to have the app, you
have to share your account details. if it's a Google or Amazon product, that
means you are sharing account details of an account that you really shouldn't
be.

~~~
faceplanted
YouTube has this problem to an insane degree, some large businesses are run
from a single person's long standing Google account and there's no way to give
another YouTube account any privileges you might want an employee to have
without giving them access to your entire Google account and all attached
services including your emails, the ability to locate and wipe your phone, all
the photos on your phone via Google photos, your calendar for it's entire
history, I could go on.

It's completely insane, and the closest they've gotten to adding anything like
this is letting people have comment moderators on live streams, not videos
where people have wanted comment moderators from day one, just live streams.

~~~
_betty_
Can't you just convert the channel to a brand account the associate new
people? Has worked for us for years and afaik people don't have access to
anything other than YouTube.

~~~
MichaelApproved
You can. OP simply doesn't know that feature exists.

------
blr246
The other part of this story I did not see mentioned is that I suspect that
password expiration also makes organizations more vulnerable to social
engineering hacks because legitimate users (I have done this) become locked
out due to poorly managed password expiration, then have to call in to restore
access. The use of insecure identity and authentication mechanisms like
student IDs and security questions is a recipe for abuse.

Good riddance to password expiration.

~~~
omh
Unfortunately we still have to have similar authentication methods for other
password resets. Users have an alarming tendency to forget their passwords
after a week or two of holiday.

~~~
paulryanrogers
Some never memorize their passwords at all. Instead relying on 'forgot' emails
and "Remember Me" features entirely.

~~~
nitwit005
I have wondered if some web pages effectively have this as the main log in
method. If you have a hurricane tracking page, everyone is going to forget
their passwords in between hurricane seasons.

~~~
gpm
Steam has nearly done this for me.

Oh, it has a password. But if I remember my password I have to check my email
and copy and paste a code from there. And if I forget my password I have to...
check my email and copy and paste a code from there... really not much point
to the password.

------
EnderWT
"Periodic password expiration is a defense only against the probability that a
password (or hash) will be stolen during its validity interval and will be
used by an unauthorized entity. If a password is never stolen, there’s no need
to expire it. And if you have evidence that a password has been stolen, you
would presumably act immediately rather than wait for expiration to fix the
problem."

Full post:
[https://blogs.technet.microsoft.com/secguide/2019/05/23/secu...](https://blogs.technet.microsoft.com/secguide/2019/05/23/security-
baseline-final-for-windows-10-v1903-and-windows-server-v1903/)

~~~
thaumasiotes
> If a password is never stolen, there’s no need to expire it. And if you have
> evidence that a password has been stolen

We've been seeing the point "your personal information is already out there,
in the hands of hackers" recently. This cleft seems oddly blind to the
possibility that a password has been stolen, but you have no evidence of the
fact.

~~~
Retric
If that’s the fear then all passwords should expire at the same time.
Otherwise if you reset every X days, hackers will always have access to some
accounts X days.

~~~
setr
In the current method, possible access risk is staggered, such that you only
have access to _some_ accounts, for some days.

In your method, you have access to _all_ or none, for some days.

Staggered seems preferable.

Note that I’m only arguing your reasoning, not the broader point of password
expiration

~~~
Retric
On day zero staggered means they still have access to ~100% of accounts.

Hackers with access to 100 million accounts generally can use any of them, but
not all of them. So, in practice access to 1% or 100% of all accounts may be
equally damaging.

------
jvagner
Recent, frustrating example: My (business) bank uses FISERV software, and
their software expires passwords every 90 days. Their software can notify you
about a million combinations of account activities and statuses, except this
one. It takes 3 values to login to the account (company ID, username,
password). When logging in via mobile app, it never tells you that your
password has expired, so I end up trying a few times before I remember it
might be an expired password.

Login via web browser, and sure enough it'll tell me my password expired and
it's time to change it. They also occasionally enforce 2FA. Passwords are also
how you connect things like Quickbooks.

When I called the bank to find out how to get notifications that a password
has expired, they said there was no way. "When you change your password, set a
calendar event for 60 days ahead..." they told me.

~~~
lysp
The problem with having a short expiration is that it forces people to simply
use their password with a count:

password1, password2, ... password23, password24.

This means that if you discover someone's current password, you also have
their future 10+ passwords as well.

~~~
malaysanghi
I would think anyone enforcing password expiration would make sure the
password is sufficiently (subjective) different from current password. This
should be simple to enforce by asking for current password when you are asking
for new password. You can perform a text match before computing whatever hash
you need to store.

~~~
kavi87
You'll need to store passwords in clear for this, not a good idea.

~~~
ht85
Not necessarily, you can have the user input the old password when setting up
the new one, check it against the old hash and if it matches, do whatever
comparisons you need between old and new.

------
jsonau
Another worst offender are security questions to unlock accounts. Answers to
these questions are usually visible to customer service reps and similar set
of questions are asked among different services. This is scary.

It's dangerous as having password stored in plain text as answers to the
security questions can potentially unlock many other accounts.

I highly suggest everyone answers each of them with a unique answer.

~~~
XorNot
I've long since started just putting in random password strings for these.

~~~
Someone1234
I used to also, until this blew up in my face.

Put random stuff as the security answers in my Trial World of Warcraft account
in 2005. In order to merge it into my Battle.net 2.0 account around 2009 I
needed to know it, and even though I had the correct password there was no way
to change security questions and I had to beg customer support (which was a
long process, involving software serial numbers, scans of ID, the whole
works).

Ultimately they told me what my mother's maiden name was:
qewqewdfskjr3924kjasdf

~~~
bscphil
I assume when people suggest putting random strings in these fields, it's
implied that you're supposed to save that data in a password manager or
something. Mine (KeePassXC) supports storing arbitrary data as "notes" in each
entry, along with TOTP information (great as a backup in case you lose your
phone), and other stuff.

I worry more that a particularly dull customer support agent is likely to be
convinced by a random caller to reset the password if they can see that those
fields are garbage.

~~~
syntheticcdo
Use randomly generated words. A CSR might be convinced by "idk I just put
random words in there LOL" when the security question answer is
uaisehf8wefjh0824m, but if they see "correct-horse-battery-staple" as the
answer, it might be a bit harder to convince.

------
caymanjim
It's going to take literally an entire human generation or more for the
terrible password rules of the 2000s to disappear. Forced password changes and
the myriad irrational rules about acceptable password contents have been
drilled into the heads of every sysadmin and security engineer for the past
two decades. They were never evidence-based rules, they were just learned
behaviors.

~~~
mormegil
If only the heads of security people... It's right there in the law: "[...]
the tool for user identity verification [...] must enforce rules for [...]
regular password change in the interval of at most 18 months [...]" §19(5)f of
the Decree No. 82/2018, the Cybersecurity Decree (the Czech Republic).

(The good thing is this is only an interim requirement until a proper two-
factor system is implemented, as required.)

------
JoeAltmaier
Not sure expiration is the worst problem with passwords. In no particular
order,

* Most are easy to remember (most of us don't use LastPass etc)

* They authenticate the user but not the service!

* They're leaky (the system tells you when you have the wrong one, facilitating several kinds of attacks)

* People leave them lying around all the time

* Changing one almost always involves using the old one (instead of starting over from first principles)

Don't get me started on usernames! If you have a large hashed password, then
the username becomes irrelevant (except as a way of leaking information).

Here's a modest proposal:

* Insist on large hashed passwords (256bit or better).

* Forget about usernames. The password becomes an 'account key' and is all you need

* Allow delegation: from one account to another; enable/disable features even for the 'main' account; give away authority for delegation at the feature level

* Never deny login for any reason, because that leaks security info (e.g. 'that password is illegal' is information). Just trust every legal password, and if it doesn't exist in the system then create a new default account

~~~
npongratz
> * Forget about usernames. The password becomes an 'account key' and is all
> you need

When talking about your account, then -- such as when talking to Support --
how would you refer to your account? Would you be assigned an ID by the
system, which you then have to save or remember?

Not saying it's good or bad or anything, just want to understand the expected
user experience.

~~~
JoeAltmaier
Any amount of profile information can be associated with an account. But a
better, more secure technique than describing the account, would be to create
a temporary token for the account and share it with support. That proves
you're authorized to ask support to make changes in that account.

------
dessant
That's exciting news, though it will take a couple of years until it trickles
down to financial institutions. My bank forces me to change passwords every 3
months, and of course they also disable pasting for added security.

We also have a local utility that sends you a 5 letter password upon account
creation through email, and that's your password. If you try to change it,
they'll send you another 5 letter one.

~~~
antoineMoPa
Bank programmers live at least 5 years in the past.

~~~
elcomet
I'd say this is because it takes that long to get a feature from design to
production, in a bank.

------
davemp
I've always wondered how many engineer hours have been lost on the phone with
helpdesks sorting out expired passwords.

~~~
dcow
I did some lunch table math a few weeks ago. Assuming it takes on average 30
min for an employee to rotate a password (reboots, re-logins, etc.), assuming
an average $50/hr across all employees, ~600k employees @ 4 changes per year
(my current company policy is ever 80-ish days) = $60MM of human time spent
per year making the company _less secure_.

~~~
Aeolun
It doesn’t take 30 minutes to change my password from ‘password5’ to
‘password6’ though.

~~~
swish_bob
If I don't restart my laptop after changing my password, I'm saving up for a
whole load of shit. The proxy logins may, or may not, continue to work, but
it's highly likely that at some point in the next few hours, Outlook is going
to trigger 3 failed password checks and lock me out of my mailbox.

And that's assuming it expires when I'm in the office, whereas what seems to
happen roughly half the time is it expires when I'm connected via the VPN.

------
quickthrower2
Ah good stuff. Password expiration is a pain, but it's worse for Windows login
because I can't even open Keepass until I get in!

When forced to do this I will use something like "B@s3P@ssw0rd1" then
"B@s3P@ssw0rd2", "B@s3P@ssw0rd3" etc.

~~~
Jaruzel
That's still a weak password. Letter substitution doesn't increase the
difficultly, as password crackers try all the variants as a matter of course.

Better to use a combo of several words such as... BatteryHorseStaple. :)

~~~
quickthrower2
The point was changing the number at the end to work around the requirement to
change the password. My real pw was better.

------
discreditable
I still expire passwords on a yearly basis for the sole reason that users have
complained to me that it stops them from using the password they use for
everything else.

~~~
jeremyjh
I came here to say this. I can't think of another way to guarantee that they
aren't using the same password that they use on every website they've visited
since 1997. If anyone has suggestions on this I'd love to hear it.

~~~
LeoPanthera
What I do:

1\. Check the password against the haveibeenpwned.com database.

2\. Check the password with the zxcvbn password strength library.

If it passes both they can use it. It's not perfect, but it's a lot better
than nothing.

~~~
tomglynch
I don't think checking against haveibeenpwned is a good idea. They recommend
against checking your current password, and you're automatically checking
every users current password?

~~~
bscphil
You can download a database from haveibeenpwned of SHA-1s of all the
passwords, which is the only way you should be checking user passwords against
an external database. It's also a good way!

~~~
fwip
Downloading the database is best, but you can also safely use their range API
[1]. This can be run either client-side or server-side.

I built a toy webpage using the API [2], and you can see how straightforward
the API is to use by checking the script [3].

[1]
[https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByR...](https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange)

[2]
[https://safepasswordchecker.hashbase.io/](https://safepasswordchecker.hashbase.io/)

[3]
[https://safepasswordchecker.hashbase.io/script.js](https://safepasswordchecker.hashbase.io/script.js)

------
Raistael
I'm not entirely sure that I'd agree with this mentality. Sure, at a glance it
sounds good. If the password has been safeguarded, there's really not much
reason to force expiration. However, wouldn't the age of the password reduce
the security of it by default? The longer a password exists for, the more
likely it is that it can be cracked, discovered by a misplaced Post-It note,
or compromised by some other unknown security issue. With all the other
security and privacy concerns in this thought process seems contrary.

~~~
FlorianRappl
Reality is that a password expiration policy quite often leads to password
simplification (e.g., having an incremented number in the password, post its
on the screen, ...).

I'd prefer 2FA and (allowing / encouraging) longer / stronger passwords over
change policies.

~~~
Raistael
I prefer these methods as well, but password simplification is a user choice,
not a causal effect. Any secure password generator and vault, keyfobs and
various other methods are great ways to compensate for a password that expires
every so often. While I'm not entirely in line with the idea of "forced"
password expiration, it's often the only way to ensure that the end user
actually updates their password regularly. There are definitely better ways
than raw expiration. Why not present the user with a screen that basically
says "hey, your password hasn't been changed in __ time, you'll need to fix
that now to access the system" when they log in after the set time period?

~~~
loup-vaillant
> _password simplification is a user choice, not a causal effect_

The two are not mutually exclusive. If you require users to change passwords
regularly, and also make sure the new password is sufficiently different from
the last one (like, most characters must be different or something), guess
what the users are likely to choose of their own so called free will.

And I'm not even speaking of how you must store a password to be able to tell
that a new password is sufficiently different from all the old ones. (Hint:
probably plaintext.)

> _[…] "forced" password expiration [is] often the only way to ensure that the
> end user actually updates their password regularly._

That does not work. I have defeated it in my last gig with this simple method:

    
    
      Complicatedpassword1
      Complicatedpassword2
      Complicatedpassword3
      Complicatedpassword4
      Complicatedpassword5
    

And I will do it again, because a complex password that never changes is much
more secure than random crap that I will have to simplify just so I can
remember it. Also good luck trying to defeat my strategy (or similar
strategies) without storing more than a hash of the password, properly
generated with a memory hard function like Argon2.

~~~
mypalmike
> Also good luck trying to defeat my strategy (or similar strategies) without
> storing more than a hash of the password

Enter Old Password: Complicatedpassword1

Enter New Password: Complicatedpassword2

Sorry, your new password is too similar to your old password.

(Passwords are still stored and verified using hashing, but with a form like
this, your most recent and new passwords are available in plaintext for
comparison when you make the change.)

~~~
loup-vaillant
Crap, I forgot about that. I guess I'll have to swap words if that ever
happens:

    
    
      Complicatedpassword1
      PasswordComplicated1
      Complicatedpassword2
      PasswordComplicated2
      Complicatedpassword3
      PasswordComplicated3
    

And if that fails, they win. Clearly they don't care about security, so I'll
use a weaker password. _And_ I will note it on a post-it and keep it in my
wallet.

------
teilo
So does this mean they also changed the guidelines in the SSPA? This is their
security framework / certification for vendors doing business with Microsoft.

Also NIST dropped password complexity requirements. The only hard requirement
is it must be 8 characters or more. New guidelines is to let users choose
their own level of complexity and encourage them to make longer passwords that
they can actually remember.

We would like to follow NIST 800-53, but too many customers (like Microsoft)
still do not allow for the 2016 NIST changes.

------
mouzogu
I wish every compnay that does this will stop too. It's so frustrating and
annoying having to change my passwords so regularly.

The internal time management software we use at work, which I only access
every few weeks always forces me to set a new password. So every time I come
to log on, my password has expired. What makes it worse is that this password
is connected to other work services but they're not synchronised so when I
change one, the other doesn't always change for a couple of days. Sometimes,
the only way to log in to my machine is to disconnect the ethernet and make
sure the wifi is off. And I have to keep a document on my phone with every
variation of my passwords in the last few months and even then, if I am on
holiday for a while and come back to work, none of them work.

I think there is a class of companies and services (Excluding Microsoft) who
just need to leave the business of user security to the user and stop trying
to build walls around an enclosure that no one cares about in the first place.

------
makecheck
Not only are expirations pointless but it’s ridiculous that a 24-hour
expiration system is often paired with a “Monday-Friday, 9-4 Eastern” kind of
phone call.

I once had an investment account lock out at the start of a weekend and _I
couldn’t log into the damn thing for days_ simply because their robot shut it
off and only a working human would turn it on.

------
tomglynch
Password expiration made average users need to remember more password
combinations and resulted in them using the same password for each website
they use. This is a serious issue, especially when sites the size of facebook
are accidentally logging plaintext passwords on their servers.

Password managers are claimed to be the solution but we just aren't seeing
average users jumping on board - probably due to the added complexity.

So what's the solution? How about websites begin client side hashing as well
as using SSL and hashing server side. Then every users 'password' becomes
unique by having a specific salt per website. This would hugely improve the
current scenario in that when a site is hacked, attackers can try every users
details on a range of other sites gaining access due to password re-use.

~~~
loonyphoenix
That relies on every website implementing this solution, and I don't think
such coordination is possible.

Also I don't see the advantage over just server-side hashing. Client-side
hashing (without a password manager) is public, so the salt the site uses is
known.

~~~
tomglynch
Well any website serious about security - yes. But if a single website decides
to do it it would work fine. It would be quite easy to just add a js file with
this. For example this one for the Stanford JS Crypto Library:
[https://github.com/bitwiseshiftleft/sjcl/blob/master/core/sh...](https://github.com/bitwiseshiftleft/sjcl/blob/master/core/sha256.js)

We're currently putting the onus on the end user (who are mostly apathetic),
when really the onus should be on the websites.

~~~
loonyphoenix
How would protecting a single website help? If the password is shared among
different sites, and one of the sites turns out to be malicious, I'll be able
to access your single website just fine by typing the sniffed password into
your textbox, whereupon it can use however much hashing and encryption as it
wants and it won't help.

~~~
tomglynch
Ah I see what you're saying. You're right, in the interim period before
everyone changes to client side hashing that is an issue. Though there's no
loss to implementing it, but it's just not as beneficial until more sites have
it.

For example: If there is no client side hashing: a user uses the same password
for n websites. If one of the n websites gets hacked, an attacker can login to
all n sites.

If one on site you have client side hashing: a user uses the same password for
n websites. If one of the n-1 websites gets hacked, an attacker can login to
all n sites. If the client side hashed website is hacked, the attacker can
only login to 1 site.

Once each site has a unique salt, then we're secure.

Another issue is how can a website migrate over to client side hashing? I
don't think there's an elegant way to do this.

------
kissgyorgy
This has known for years now, but unfortunately, takes a long time to change.

The other thing what I just read recently and mentioned in this article is
about storing secrets in environment variables. That's not good either because
every running code and subprocess can read it...

~~~
noobermin
As an ignorant person who doesn't do multiuser anything, how is this a problem
if you are sure you're the only user of a physical system? The moment my
computer is compromised by anyone else I'd think all bets are off then.

~~~
sjy
I think the recent compromise at matrix.org [1] is a good example of how
better defence in depth could have mitigated the damage done by an attacker
who compromised a trusted machine. Specifically, access to a developer's SSH
agent was the critical privilege escalation vector in this attack.

[1] [https://github.com/matrix-
org/matrix.org/issues/371](https://github.com/matrix-
org/matrix.org/issues/371)

------
Doubl
The first time I came across password expiration was on a login I was given to
someone else's windows server. I only needed to log in once a month or less
and every single time I got the message, _your password has expired and must
be changed_ , it was laughably pathetic how they ever expected people to
remember a new hard to guess password every month. So of course I did what
others have said and tagged on a 1 each time to the end.

------
falcor84
The article recommends LastPass but ironically LastPass still asks you to
change the master passphrase every 180 days. I've complained about this a long
time ago and they didn't seem to take my request seriously despite my sending
them links to the NIST recommendations.

~~~
traydee
I've been using lastpass for 6+ years now and its never asked me to change my
master passphrase, let alone every 180 days.

~~~
falcor84
Very strange, I wonder if there's anything special about my account. Here's
the message I'm getting, when I log into the web console:
[https://ibb.co/5vMVyJ4](https://ibb.co/5vMVyJ4)

------
Artemis2
These “baseline rules” come from NIST SP 800-63B, Appendix A, which is a
surprisingly digestible document:
[https://pages.nist.gov/800-63-3/sp800-63b.html#appA](https://pages.nist.gov/800-63-3/sp800-63b.html#appA)

~~~
Jaruzel
And the UK equivalent from the National Cyber Security Council is at:

[https://www.ncsc.gov.uk/collection/passwords/updating-
your-a...](https://www.ncsc.gov.uk/collection/passwords/updating-your-
approach)

Fun anecdote... I spent 6 months last year designing and implementing a 'Self-
Service' password reset portal system and password synchronisation system for
50k+ users in a large organisation, only for the organisation in question to
switch to non-expiring passwords 1 week before deployment.

Needless to say... usage of the system post deployment was almost non-
existent.

Ah well, at least I still got paid.

------
acidburnNSA
I sent in the NIST announcement to enterprise sysadmins last year as an
opportunity for improvement. They closed as wontfix. I dont blame them for
moving slow. This hopefully will move them a little.

They have a guy whose job is basically to deal with unlocks after password
changes.

------
mnm1
Great but this still exists in outlook online, Amazon, and probably other
places. If Microsoft is really serious about this, they would get rid of
password expiration everywhere. It actually leads to less secure passwords as
combined with their shitty ui and multiple password change systems, each with
its own password rules (another stupidity that needs to die), it leads one to
ignore the password generator and manager and just use a simple password that
can be remembered and changed by one number when it expires. This way I'm not
updating multiple clients constantly and can actually change the password on
the first try. I'm glad such insecure and stupid practices are finally going
away.

------
oedmarap
When signing into Office 365's admin portal for the first time, "Set passwords
to never expire" is actually the first and only wizard-type suggestion that's
presented as a best practice to get out of the way.

It's a nice reminder and the option is already pre-selected so you just have
to click Save. I've gotten into the habit of doing this now even before
configuring domains, users, etc.

The next logical step of course is to enable/enforce MFA for all users as a
thorough auth policy.

------
ecthiender
Surprisingly, the most important organizations (like banks and government
departments who have critical data) who need to ditch this practice, embrace
it like the holy grail.

------
sytelus
I'm in the camp where I don't want systems to do fancy validations on
passwords but I do think expiring passwords is not a bad idea. The thing is
that many times your password can get stolen and you might not even know it.
I've seen people writing down their passwords on sticky notes, saving in
Chrome, get stolen by fake apps etc. At least for Windows, expiring passwords
wasn't huge pain because of integrated authentication everywhere.

------
jaabe
We’re required to have password expiration by law in the public sector of
Denmark. So I’m sure we’ll continue to have it for at least some years to
come.

I must admit I never really understood the function of it. Obviously lifetime
access is more damaging than 3 months access, but the truly devastating thing
is the unauthorised access itself not the length of it. Also the policy
results in really bad practices like people using summer2019 as their password
or writing their current password down on post it’s. We tried blocking stuff
like summer2019, but people get really creative. People also forget to renew
their passwords, costing hundred of hours in the process.

We have 2FA now, which will soon be required by our adoption of the GDPR, but
you have to wonder why we didn’t get that decades ago instead of the password
expiration.

~~~
LeoPanthera
I briefly worked at a place that enforced quarterly password changes and I
literally used <Season><Year> as my password. I am _not_ good at remembering
passwords and I don't think I'm that unusual. Writing them down seemed worse
than using a poor password that I can at least remember.

Probably these days if forced I would use <Prefix><Season><Year>. I don't know
how much better that is. But luckily now I work for myself.

~~~
tzs
How often have you had information stolen off a credit card, passport,
driver's license, insurance card, or other item with sensitive information
printed on it that you routinely carry around in your wallet?

For most people, the answer is "never".

We are actually quite good at safely keeping secrets on paper in our wallets,
and so generally writing down a password and keeping it there is fine,
especially if the choice is between doing that with a strong password or using
a weak password that you memorize.

~~~
mamon
Plus, people usually have a better memory that they give themselves credit
for. With reasonably short random password (say, 10-12 chars, uppercase,
lowercase, digits) that you use often, you will memorize it after a week, at
which point you can simply destroy post-it note you carried in your wallet.

------
jpalomaki
This should be coupled with the usage of multi-factor authentication and
making users aware of when and where their accounts have been used.

In organizations, one issue is users knowingly sharing their accounts with
fellow workers. It's not because they don't know better, but because this is
more convenient. Forced password changes (with limits on password re-use) can
limit the risks caused by this.

------
dagurp
Can we stop linking to Oath family websites until they sort out the cookie
policy UI?

------
afinlayson
There's so many better ways to identify an account than a string of
characters. Just like we shouldn't be using an integer for Credit card numbers
or Social Security (or Social Insurance for the Cdn's)

------
enriquto
Can't we say good riddance to all passwords yet? I yearn for the day where I
can log-in everywhere using public key cryptography.

~~~
Shaddox
Not yet, I'm afraid. Passwords are the best of the bad solutions people came
up with. For public key cryptography, the problem remains, as always, key
exchange. How can one be sure you are who you say you are?

~~~
enriquto
But this only concerns the first usage. Once a public key has been
acknowledged there is never further need for a password. It is only you who
has the private key.

------
tashoecraft
At work a client pushed new security protocols on us and of course management
allowed it. Now I get to update my password every 30 days.

------
RocketSyntax
Yes! I actually got into an argument with our IT team about this.

The only thing it prevents is the continuation of a password-based breach.

------
jazzabeanie
A benefit of enforced password changes is that you can use it to practice
those keys that you are weakest at touch typing.

------
systematical
For those of us who have to remain PCI compliant the tyranny of password
expiration will remain. 90 days unless I am mistaken?

------
arendtio
Nice. So how many years will it take until someone realizes that asking users
to include specific character classes actually decreases password security
too?

What I mean is that if you ask your users for a password that includes lower-
case letters, upper-case letters, numbers and special characters you will
probably end up with something like 'Password123!'.

Instead, we could ask our users for reasonably complex passwords without
requiring to include specific characters sets. Yes, I am talking about

[https://www.xkcd.com/936/](https://www.xkcd.com/936/)

~~~
blarg1
for any password that requires capitals and numbers I always start it with the
capital and end with the number to make it easier for me to remember.

~~~
drilldrive
And I am sure at least 95% of the populace does the same, and that such
passwords are usually quite short. We need a better solution for passwords
than we do now.

------
the_arun
With MFA it reduces the risk of losing password. Without MFA - what if you
don't know your password is stolen?

------
vbezhenar
I am not convinced and I'll continue to rotate my passwords on a periodical
basis.

~~~
gdcohen
And that’s fine. It should be your choice to do this, rather than being forced
to.

------
avodonosov
MFA is annoying too.

------
org3432
I’d like to know why info sec has traditionally been anti-science to begin
with, and if they are going to adopt data backed approaches to backup their
theories, what other old wives tales will they’ll be addressing next?

------
canterburry
If your want to version secrets, environment variables and code together...
you can, just make sure to use a proper solution such as
[http://configrd.io](http://configrd.io).

