
It's time to rethink mandatory password changes - Sukotto
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
======
kwikiel
It's nearly impossible to talk about security in government orgs without
extreme bike shedding regarding password length, changes and special
characters.

It's not only about security - we have to factor out usability to prevent
yellow stickers with "hard passwords".

2FA gives both usability and security and easy detection of dictionary attack
against system - it could allow for even deliberately leaking passwords and
then monitoring honeypots.

------
orionblastar
I can tell you working as a federal contractor or employee in an IT department
that complex passwords are hard for most people to remember.

We always had to change the password for people who forgot their password to
"Password" or some other easy to remember word, and then they are supposed to
change it when they log on but more often than not they don't even bother to
change it.

So you got administrative accounts to all of the managers because they want
access to everything to monitor employees. When those accounts got an easy to
guess password then crackers can get in and mess with stuff.

It isn't just people outside the organization, people inside the organization
want to crack databases and steal stuff so they can sell it.

I worked for a law firm and some people in the business office had DDOS tools
to take out my machine because I was a programmer. I wrote a funtion called
SQlFilter that filtered out SQL control codes and tripled up single quotes so
they couldn't do an exploit in SQL to drop tables or edit data. I wasn't very
popular for writing that function.

