Hacker News new | past | comments | ask | show | jobs | submit login

Rotating credentials prevents them from being used for a longer time after they've been stolen.

This is the sole reason why Let's Encrypt does 30-day certificates, and why the session tokens in OIDC are usually a few minutes at most.

The only one that's using a session token without invalidation time, forever, is Uber, and that was heavily criticized last time on HN.

And now, everyone's apparently in support of using the same password as login token for decades, never changing it.




You’re jumping all over the place.

Passwords != session tokens != certificates.

Passwords are a form of access control. I repeat: a strong password cannot be brute forced for billions of years. Even with technological advancements, most strong passwords are well over what’s required to literally be safe for a lifetime.

Certificates are not a form of access control, like I explained in my other response to you. They are a form of cryptographic authentication. Digital signatures cannot be revoked offline, which is a problem because they’re used by other parties for validating trust. Therefore, certificates have a built-in dead man’s switch that requires renewal.

Passwords are not used for validating trust. They’re not comparable to certificates. Stop using certificates as an example of why passwords need to be rotated, because certificates don’t even use “rotation” in that sense of the word.


> Passwords are a form of access control. I repeat: a strong password cannot be brute forced for billions of years. Even with technological advancements, most strong passwords are well over what’s required to literally be safe for a lifetime.

The topic was never about brute forcing, that’s irrelevant.

It’s always about exfiltrated passwords, certificates or session tokens.

You usually have additional authentication requirements so that changing the password requires more than just the password, but an attacker that exfiltrates the password can still read everything.

For example, an attacker that obtains my onlinebanking password will be able to read all transactions, but not make changes. In this way, the password acts identical to a session token – an attacker exfiltrating a session token will get the same access.

The goal is to reduce this ability – changing the password as often as the offline session token ensures that if an attacker had such read access, as is possible with many services, this access will not continue forever.

With your suggestion, of using an identical password for decades, a potential attacker has for decades read access to the bank account. This is undesirable.

Yes, preventing exfiltration would be better, but exfiltrating session tokens and passwords is identical in terms of attack surface, and as result, they should be protected identically.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: