Hacker News new | past | comments | ask | show | jobs | submit login
Why don't we expire passwords on the web? (mrspeaker.net)
23 points by mrspeaker on Dec 13, 2010 | hide | past | favorite | 41 comments

If I really had to choose, I'd prefer people to use stronger passwords than to have them expire.

Quite often in companies I work for, forced expiration leads to passwords written on post-its, because people cannot follow the pace.

Maybe having a biometrics authentication coupled with some kind of 1password would be better!

A password on a post-it is only bad if it's the password to gain access to your machine. If I put my password for HN on a post-it next to my home computer, it's about as safe as it will ever be.

Honestly, if someone has broken into my home, my password to HN will probably be amongst the least of worries (and lowest on the list of priorities for the thief to pick up - I'll loose my computer before I loose the password).

Biometrics are only useful if the remote database and the transmission path is secure. If not, they can re-create & retransmit the biometric hash much like they do your password.

Schneier actually recommends writing your password on a piece of paper in your wallet. (even better, just a hint).

I don't think Schneier recommends a hint. That's only good if your password sucks to begin with.

And it's not the 'writing down' part that's a security risk, it's the 'storing in an insecure location' that is. Password in wallet, fine. Password post-it stuck to monitor, not fine.

"If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence - or better yet - a hint that will help you remember your sentence. "


Because expiring passwords is a horrible idea.

At the place I work at, most everyone just changes their password monthly like: "password1", "password2", etc.. Anything more difficult than that then they are likely to forget their password.

Another awful idea is locking people out if the password is wrong after 3 attempts. Then you have mischievous characters entering in 3 bogus passwords just to lock you out of your account and inconvenience you.

The whole concept of expiring passwords should be gotten rid of everywhere.

For about an year and a half I've been using a simple trick that I learned from a friend of mine who is very good at using exploits to enter company websites and find security leaks. He was also very very cautious about security and pretty much didn't trust any software to manage his credentials (not even a notepad or sticky notes).

So his method is: For every domain use separate password which you can simply generate in your head every time you need to log in. For example by the formula f(domain_name)


f(domain_name) = "abc"+first_and_third_letters(domain_name)+"123";

f(google) = "abcgo123"

This way if one site you use is hacked and your password stolen, they can't get to any other of your data online.

A couple of hints for this:

1 - can it be easily reverse engineered if somebody gets their hands on 2 of your passwords?

2- use a different formula for banking and other highly secure sites.

The above formula fails the 1st test, but it's easy to tweak. Here's another formula:

first 4 letters => the 4 letters to the right of the first letter of the domain name on a qwerty keyboard, wrapping as necessary. the number "3" last 4 letters => the 4 letters to the right of the third letter of the domain name.

So for google the password would be:


ycombinator would be:


et cetera.

Make sure you have a number in your formula, so you don't get thrown by sites that require a number.

P.S. the formula I use is much different from that described. :)

Couldn't someone deduce that his hotmail password is abcho123?

Edit: If they compromised one of his other accounts...

yes, they could, if you use something that simple, AND they know you are using such a scheme. I used that just as an example. In reality you'd use something a little bit more complicated raising the bar for them by a considerable amount.

Maybe with that naive formula.

First and foremost, we like to tell people that we have 500 million active users using our webapps. Thinking about things such as active users compared to raw signups is negative and we naturally try to avoid negative reports. Expiring passwords would be a very easy way to measure how many active, engaged members a site has. If we start expiring passwords, it will become very clear how effective our leadgen efforts are as well as how strong our communities actually are.

Generally, users come and go. We accept them as engaged, contributing users when they preform an action once every x number of days. Expiring passwords is one more hurdle that must be crossed when a user returns. Any hurdle, even an "email me a login link" will force a percentage of users to re-evaluate their desire to contribute.

People will learn that using one password multiple times has serious repercussions. Already, we're seeing the proliferation of standalone password managers and easy to use bookmarklettes such as SuperGenPass.

I think that the solution to this problem is: Any time that a user requests a new or renewed password, e-mail them a link to a trustworthy, cross platform password manager. Explain that you have no affiliation with the company you're mentioning, but in a short sentence or two, convey that using a strong, unique password is important for their security across the web.

Why do we have passwords? I mean, ok, I know why, but he mentioned he's just going to enter random gibberish and then use the recover password links when he needs to log in to sites again. Why don't any sites, as an option, cut out the middleman and just have an "email me a login link"? No need to save a password at all, just a good for a single login link and the usual session tracking.

You don't store passwords on your inbox, do you? The reason is that if someone has access to your email, then you are screwed. Same applies with what this guy is proposing: I find your email password, I change it and you are screwed.

But sites that provide an "I forgot my password" already have this vulnerability if they don't ask for any further information to recover your password. Many sites don't. If someone has access to your email, you're already just as screwed.

Sites that do ask for extra info (Mother's maiden name type of thing) are protected against this, but there are an awful lot of sites that never ask you for anything but an email address and a password when signing up.

Those are the sites who are not doing their job properly and there's no reason to adapt to their solution. Getting rid of passwords tout-court may seem convenient but it's really bad for security.

I like this idea.

You wouldn't even need to make it only work for a single login. Let it live for a year or forever. Automate the bookmark procedure for them as well, so their bookmark for your site (https, of course) would automatically log them in, as it would contain a very large random string that identifies them. For extra points on sensitive sites, tie that random string to their IP address, so it only works from the IP address they were at when they first clicked it. If they click it from a new IP address, an email is sent, asking permission to whitelist that IP address for them as well.

If we're going to do away with passwords, let's at least do it properly with smartcards.

I've worked with systems that used USB tokens with X509 certificates for authentication and the tokens still required a password (as with Chip-n-Pin cards).

The "something you have" only really works as an additional authentication factor to the "something you know" of the passwords.

(I didn't say smartcards don't need passwords..)

Who wants to carry a smartcard everywhere?

Who wants to carry their housekeys everywhere?

Certainly not me. I had to tie it to my shoelace when I was going for a run, as my running shorts don't have pockets. Now, of course, as technology has caught up, I bought a lock from Home Depot that allows me to just remember a combination and not use house keys. Much nicer.

You'd still need a password for your email...

Sure, it's clearly not a good idea for every site. But for things people treat as throwaway already (like gawker logins), why not? It doesn't seem like it's any less secure than things are now, especially if, as the author proposes, you're going to purposefully not remember your passwords and always use the recovery links.

Email is not universally reliable enough for that to be practical.

If you leave browsers logged in, it might be a little more so, but still, I want to log in now. Not in a half an hour after the email works its way through my company's spam filters.

If your emails take 30 minutes to arrive then there is something seriously wrong somewhere.

I guarantee a considerable fraction of your users are using mail servers that have something seriously wrong somewhere.

Or the server uses greylisting as part of their spam prevention mechanisms.

Be careful when you ask "Why don't any sites...". At least one site does have this option: http://ourdoings.com/

It's called OpenID. However it won't send you a link, but will just ask you to press "Yes, Log in" button.

Because it's the most annoying thing you can do to torture a user. The University of Texas does this - it's a nightmare.

UW-Platteville does this and there is no way to reset your password off campus if it expires before you change it. You can't even call up the help desk to get a reset, they refuse to help you. My brother had to drive 4 hours to campus to get his password reset.

UW-Green Bay (where I went) has the same policies as UW-Platteville but has a remote reset page requiring your Student ID, SSN, and DOB.

Okay, we need centralised authentication of some sort. Since everyone seems to hate OpenID, is there a good protocol we can use now? OAuth looks good, but I don't know of any way to have individual servers, like OpenID.

A great solution would be to have what is, essentially, OpenID, but verified by your email provider. You enter your email (instead of a URL), and get sent to your email provider for authentication. Nobody forgets their email...

Regardless, what's a good alternative now?

There's nothing wrong with OpenID in my opinion, I use it 9:10 times logging into this very website through ClickPass. The thing that doomed the project, from what I've been reading (and I've done a lot of reading because I thought it was a great idea) was the lack of documentation.

Both technical documentation and soft documentation ranging from how end users should interact with it, and what the best practices are. This seems to be an Achilles heel of a lot of projects like this in various patterns regarding informing users how to use it, versus how developers can develop for it.

I love OpenID too, I use it on every single site that supports it. However, I hear that people don't like it very much, probably because of the reason you mentioned. It's very sad, I think it had (and still has) great potential. Another problem with OpenID is that non-technical users can't really understand it :/

I haven't yet seen anyone suggest password-sync as a solution to this.

Just set up your browser to sync passwords, then generate random strong passwords and store it. It'll sync to your other browsers and you're good to go, until you use a browser that isn't your own. And if you're really using those sites from computers you don't own, you have other problems to work out first.

lastpass.com does sync passwords across computers and devices.

I suspect it's because people don't like entering passwords and generally only have one or two for the entire Internet, so forcing them to enter the same one again every so often (or, worse, forcing them to enter a different one!) would not make good business sense.

Secure hashing algorithm => problem solved.

I made a widget once to hash a unique password for each domain. Just copy-paste the domain into the widget and it automatically copies the password to the clipboard. All fine and dandy until mobile came along... now I'm entering 16 character strings of alphnumeric and symbol characters by hand to log in to my facebook account, etc... security pass, usability fail.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact