

Why don't we expire passwords on the web? - mrspeaker
http://www.mrspeaker.net/2010/12/14/password-expiration

======
thibaut_barrere
If I really had to choose, I'd prefer people to use stronger passwords than to
have them expire.

Quite often in companies I work for, forced expiration leads to passwords
written on post-its, because people cannot follow the pace.

Maybe having a biometrics authentication coupled with some kind of 1password
would be better!

~~~
bryanlarsen
Schneier actually recommends writing your password on a piece of paper in your
wallet. (even better, just a hint).

~~~
kgo
I don't think Schneier recommends a hint. That's only good if your password
sucks to begin with.

And it's not the 'writing down' part that's a security risk, it's the 'storing
in an insecure location' that is. Password in wallet, fine. Password post-it
stuck to monitor, not fine.

~~~
bryanlarsen
"If you can't remember your passwords, write them down and put the paper in
your wallet. But just write the sentence - or better yet - a hint that will
help you remember your sentence. "

[http://www.guardian.co.uk/technology/2008/nov/13/internet-
pa...](http://www.guardian.co.uk/technology/2008/nov/13/internet-passwords)

------
henry81
Because expiring passwords is a horrible idea.

At the place I work at, most everyone just changes their password monthly
like: "password1", "password2", etc.. Anything more difficult than that then
they are likely to forget their password.

Another awful idea is locking people out if the password is wrong after 3
attempts. Then you have mischievous characters entering in 3 bogus passwords
just to lock you out of your account and inconvenience you.

The whole concept of expiring passwords should be gotten rid of everywhere.

------
mitko
For about an year and a half I've been using a simple trick that I learned
from a friend of mine who is very good at using exploits to enter company
websites and find security leaks. He was also very very cautious about
security and pretty much didn't trust any software to manage his credentials
(not even a notepad or sticky notes).

So his method is: For every domain use separate password which you can simply
generate in your head every time you need to log in. For example by the
formula f(domain_name)

Ex:

f(domain_name) = "abc"+first_and_third_letters(domain_name)+"123";

f(google) = "abcgo123"

This way if one site you use is hacked and your password stolen, they can't
get to any other of your data online.

~~~
ekanes
Couldn't someone deduce that his hotmail password is abcho123?

Edit: If they compromised one of his other accounts...

~~~
mitko
yes, they could, if you use something that simple, AND they know you are using
such a scheme. I used that just as an example. In reality you'd use something
a little bit more complicated raising the bar for them by a considerable
amount.

------
RBr
First and foremost, we like to tell people that we have 500 million active
users using our webapps. Thinking about things such as active users compared
to raw signups is negative and we naturally try to avoid negative reports.
Expiring passwords would be a very easy way to measure how many active,
engaged members a site has. If we start expiring passwords, it will become
very clear how effective our leadgen efforts are as well as how strong our
communities actually are.

Generally, users come and go. We accept them as engaged, contributing users
when they preform an action once every x number of days. Expiring passwords is
one more hurdle that must be crossed when a user returns. Any hurdle, even an
"email me a login link" will force a percentage of users to re-evaluate their
desire to contribute.

People will learn that using one password multiple times has serious
repercussions. Already, we're seeing the proliferation of standalone password
managers and easy to use bookmarklettes such as SuperGenPass.

I think that the solution to this problem is: Any time that a user requests a
new or renewed password, e-mail them a link to a trustworthy, cross platform
password manager. Explain that you have no affiliation with the company you're
mentioning, but in a short sentence or two, convey that using a strong, unique
password is important for their security across the web.

------
Ogre
Why do we have passwords? I mean, ok, I know why, but he mentioned he's just
going to enter random gibberish and then use the recover password links when
he needs to log in to sites again. Why don't any sites, as an option, cut out
the middleman and just have an "email me a login link"? No need to save a
password at all, just a good for a single login link and the usual session
tracking.

~~~
nodata
If we're going to do away with passwords, let's at least do it properly with
smartcards.

~~~
arethuza
I've worked with systems that used USB tokens with X509 certificates for
authentication and the tokens still required a password (as with Chip-n-Pin
cards).

The "something you have" only really works as an additional authentication
factor to the "something you know" of the passwords.

~~~
nodata
(I didn't say smartcards don't need passwords..)

------
damoncali
Because it's the most annoying thing you can do to torture a user. The
University of Texas does this - it's a nightmare.

~~~
epochwolf
UW-Platteville does this and there is no way to reset your password off campus
if it expires before you change it. You can't even call up the help desk to
get a reset, they refuse to help you. My brother had to drive 4 hours to
campus to get his password reset.

UW-Green Bay (where I went) has the same policies as UW-Platteville but has a
remote reset page requiring your Student ID, SSN, and DOB.

------
StavrosK
Okay, we need centralised authentication of some sort. Since everyone seems to
hate OpenID, is there a good protocol we can use now? OAuth looks good, but I
don't know of any way to have individual servers, like OpenID.

A great solution would be to have what is, essentially, OpenID, but verified
by your email provider. You enter your email (instead of a URL), and get sent
to your email provider for authentication. Nobody forgets their email...

Regardless, what's a good alternative now?

~~~
iamdave
There's nothing wrong with OpenID in my opinion, I use it 9:10 times logging
into this very website through ClickPass. The thing that doomed the project,
from what I've been reading (and I've done a lot of reading because I thought
it was a great idea) was the lack of documentation.

Both technical documentation and soft documentation ranging from how end users
should interact with it, and what the best practices are. This seems to be an
Achilles heel of a lot of projects like this in various patterns regarding
informing users how to use it, versus how developers can develop for it.

~~~
StavrosK
I love OpenID too, I use it on every single site that supports it. However, I
hear that people don't like it very much, probably because of the reason you
mentioned. It's very sad, I think it had (and still has) great potential.
Another problem with OpenID is that non-technical users can't really
understand it :/

------
wccrawford
I haven't yet seen anyone suggest password-sync as a solution to this.

Just set up your browser to sync passwords, then generate random strong
passwords and store it. It'll sync to your other browsers and you're good to
go, until you use a browser that isn't your own. And if you're really using
those sites from computers you don't own, you have other problems to work out
first.

~~~
Jencha
lastpass.com does sync passwords across computers and devices.

------
wzdd
I suspect it's because people don't like entering passwords and generally only
have one or two for the entire Internet, so forcing them to enter the same one
again every so often (or, worse, forcing them to enter a different one!) would
not make good business sense.

------
olalonde
Secure hashing algorithm => problem solved.

~~~
superk
I made a widget once to hash a unique password for each domain. Just copy-
paste the domain into the widget and it automatically copies the password to
the clipboard. All fine and dandy until mobile came along... now I'm entering
16 character strings of alphnumeric and symbol characters by hand to log in to
my facebook account, etc... security pass, usability fail.

