FRESH

Hacker News

Forcing people to change their passwords is officially a bad idea

86 points by Brajeshwar

by wlesieutre

0 subcomment

Forcing periodic password changes has been against NIST recommendations since 2017
[PDF] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. (page 14)
What's new in 2024's draft is changing this from "SHOULD NOT" to "SHALL NOT"

by icedchai

0 subcomment

I work with several organizations that force password changes. I add month/year of change to the "base" password every 2 to 3 months. It's a total waste of time.

by navjack27

0 subcomment

The most annoying thing in the past years has been some of my government assistance accounts and other things that have limited character set definitions and forced rotation. Even though I use a password manager that's local on my computer for this stuff it's still utterly frustrating because of the way they handle it. I've had to call up and reset passwords because something in the middle during the rotation or before the rotation even began and I ignored the changing of the password for long enough that the account was just unusable.
do you see how what I end up having to do absolutely circumvents the security of rotating a password.

by fire_lake

2 subcomments

If password rotation is a bad idea, how do you deal with password compromises and credential stuffing attacks? Passwords tend to leak eventually.

by Modified3019

0 subcomment

by bitwize

1 subcomments

Not if you have security compliance rules you need to comply with in order to get customers, and those rules stipulate a password rotation schedule!