
Frequent password changes are the enemy of security - kneth
http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/
======
Eun
I am a bit shocked, that they want to keep old passwords. Imagine some hacker
gains access to a username - password list. But leeks it a half year later
(yes that had happened). Since you never changed the password every buyer has
access to your account. But, if you would have changed your password, even a
minor change, the attackers will ignore your account since they have (usually)
a lot of other accounts to try. And why brother with the ones that doesn't
work?

Password changing gives an advantage even if it's just a minor change. Keep
that in mind.

~~~
jjp
> I am a bit shocked, that they want to keep old passwords.

Presumably that is required to stop simple password rotation of Password1,
Password2, Passsword1

> why brother with the ones that doesn't work?

That's going to depend what the attack is against. If it's a consumer facing
web site then you're probably right and the attacker will move right along
unless it's a high profile account (Zuckerberg et al). If it's an internal
system then attack is probably more interested in named accounts/roles and
spending a few seconds to workout whether the password is an easily
decipherable sequence will quickly pay off.

~~~
Eun
True in some points. Password rotation is bad. But isn't it better to rotate a
bad password than keeping a bad password?

Furthermore if you have a internal system, the administrator should enforce
certainly password conditions. They could even forbid the use of old
passwords...

~~~
brudgers
One common criterion for a 'bad password' is a password that is already
contained in a rainbow table or is easily generated upon creation of a new
rainbow table.

If the current password is in the table, how long it has been in use doesn't
matter.

Rotating passwords mostly addresses an internal workplace issue of sharing
passwords between coworkers. That's a symptom of security culture problems and
probably more deeply operational organization problems => why don't people
have access to the tools they need when they need them?

