by abzug on 3/4/22, 1:53 PM with 272 comments
by Beached on 3/4/22, 3:33 PM
Every company (all 3 of them) I have worked at within the last 10 years, the IAM team has already implimented, or was working on implimenting a system that removed regular rotation, special chars and number requirements, and relied on three things: Length, a dictionary check at the time of pass creation, and routine dictionary attacks against the credential store. This started 10 years ago, for someone to make the same claims now, is not a shock.
Please note that if you are unable to impliment such an IAM system, especially the inability to dictionary check the credentials against known lists (seclists' github is great for this), then length plus regular rotation is still the recommendation
by Brian_K_White on 3/4/22, 3:15 PM
But updating a password is itself an attack surface. More so than merely using it to log in.
It's one of the times where an attacker may be tricking you into giving it to them, either by a fake page or app dialog, or in concert with maybe they have a way to receive the verification email or text.
Also it's a less frequent operation, meaning it's easier to fake. You are more likely to notice any tiny discrepency and detect a fake in the way your normal login screen looks than some account management screen.
Basically updating a password is a riskier action than the normal daily use of the same password.
And that alone is it's own even stronger argument for avoiding doing it unnecessarily.
by e1g on 3/4/22, 2:36 PM
In practice, this new rule contradicts almost every InfoSec stance out there, but all government agencies must comply with this new rule by the end of the year, so expect lots of conversations and changes.
[1] https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-0... Approachable summary at https://www.bastionzero.com/blog/i-read-the-federal-governme...
by colinclerk on 3/4/22, 2:14 PM
Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorized secrets SHOULD be imposed.
Shameless plug - I'm the cofounder of Clerk and we handle passwords in a sane way out-of-the-box: https://clerk.dev/features/passwords
by cromd on 3/4/22, 3:04 PM
And as others pointed out, breaches aren't always known or disclosed. Is it too late if you change your password 6 months after it's compromised? Not sure - maybe people sit on their exploits sometimes, or wait for a better buyer, or sell secrets in small batches.
All that said, I've never changed a password when it was newer than 5 years old, and only do it for crucial services, but if I were a bigger target, I might do it more.
by brightball on 3/4/22, 3:01 PM
Assume the passwords for all of your users are public. Doesn't matter how it happened. How are your users protected?
The moment that people go down this road of thought everything gets a lot better.
1. How do you restore accounts that may have been taken over?
2. How do you detect logins that look like normal behavior vs those that don't?
3. Is a password alone enough to get them in?
If you address those 3 things everything gets A LOT easier for you and your users.
by ejb999 on 3/4/22, 2:28 PM
When you ask people to remember too many passwords, they start writing them down and/or forgetting them, which leads to other problems.
My oldest online account - btw it is a brokerage account at one of the big brokerage houses, where a great deal of my cash and investments sit - has not asked me to change the password in close to 25 years, which I find quite funny.
by Moodles on 3/4/22, 2:43 PM
To be fair to these companies, the reason they do passwords so terribly is because of such poor guidance and standards in the past. Even now NIST has SP 800-132 for guidance on generating a cryptographic key from a password for storage applications, which is different and often confused with guidance on storing passwords (which they don’t give advice for). There they say to use PBKDF. Also, compliance standards such as PCI don’t allow for modern storage like Argon2, so at best companies use something like bcrypt.
by skbdpup on 3/4/22, 2:45 PM
These can go undetected. Imagine
1. Hacker dumps database with your username & password in it 2. Brute-forces the database offline 3. Logs in as you / Sells it to 3rd party that logs in as you
A lot of time can pass between these steps. Changing your password is a mitigation against this scenario.
by teknopaul on 3/4/22, 4:01 PM
I find sites that ignore my opinion on password security annoying. Some sites I just don't use because of their password policy.
by tinalumfoil on 3/4/22, 3:30 PM
Best practices get better over time. Maybe two years ago that password was stored as an MD5 hash, and that hash was getting leaked to log data. Bank.com has since fixed that problem, but you don't get the benefit unless you change your password.
by alasdair_ on 3/4/22, 7:12 PM
Assuming NTLM hashes you can currently crack almost 100 billion hashes per second on a single AWS p3.16xlarge that costs $25/hour to run (https://www.thesecurityfactory.be/password-cracking-speed/)
I.e. you’d need 10 million hours of these machines to try every combination possible, with an average time to crack of 5 million hours. I.e. a total cost of $125 million, although I bet you could negotiate a pretty good AWS discount and/ or build the servers yourself and optimize them for cracking, so let’s call it around $50 million to crack a truly random 12-ASCII character password today.
Assuming Moore’s law improvements and improvements in energy costs/ efficiency and we can reasonably assume this cost could roughly halve every 18 months, to under $1 million in a decade. That’s not a lot of money to a nation state actor, so if you’re in a position where you seriously worry about active attacks against you specifically, perhaps using passwords that are longer than 12 characters is worthwhile.
by jandrese on 3/4/22, 6:33 PM
1. The password must be difficult to the point of impossible for a computer to guess.
2. The password must be memorable enough that a person can create it once and then remember it a month later.
If you don't satisfy requirement #1 then it will be hacked with a GPU farm. If you don't satisfy requirement #2 then the users will undermine your security in a multitude of ways. Almost no corporate password policy attempts to address or even facilitate option #2. They don't even mention it! Many corporate password policies are actively hostile to option #2, requiring a bunch of stuff that's hard for people to remember but only reduce the search space for the computer farms attacking your leaked password database.
I like to use phrases made of things that sound like words, but aren't in the dictionary. Make them themed to be memorable. I call them Jabberwocky passwords. Were it not in famous poem a good password would be "mimsy were the Borogroves".
by ouid on 3/4/22, 3:49 PM
by asimops on 3/4/22, 6:56 PM
[0]: Something like https://github.com/fblz/PassFilter or https://github.com/rlabolle/hibppwdflt
by netheril96 on 3/4/22, 2:48 PM
by thenoblesunfish on 3/4/22, 5:40 PM
by simonbarker87 on 3/4/22, 2:53 PM
by MaulingMonkey on 3/4/22, 9:42 PM
Companies RMA, sell off, donate, and/or dispose of older drives, RAID caches, computers, workstations - are you 100% sure everything was DBANed properly without any data still lurking in bad sectors? All it takes is one snoopy fellow dumpster diving, or going through the garage-saled hardware of your former IT guy who made backups, finding some hardcoded credentials on an unencrypted or poorly encrypted drive - or other similar act of stupidity - to potentially leverage mistakes made years ago into active network access.
As annoying as I find password rotation, I get it.
by cpuguy83 on 3/4/22, 3:57 PM
by ahmed_ds on 3/4/22, 3:51 PM
I would say, strong password is slowly becoming a myth due to organizations failing understand what it is before creating a policy surrounding it.
by wintermutestwin on 3/4/22, 2:49 PM
While they are at it mandate some standards of customer service if your business exceeds $1M in gross revenue (must have a "get human" button and the call hold time shall not exceed 15 minutes).
I know that sounds like a fantasy utopia, but I remember a time in the 70s when there was a serious push for consumer advocacy in the US.
by dahart on 3/4/22, 3:47 PM
I feel like this is somewhat true for self-fulfilling prophecy reasons; these same organizations don’t always disclose every compromise or leak of their systems, and don’t always force a password reset when it happens because it would reveal they’ve been hacked. I’m certain I have multiple online accounts at organizations that have suffered minor, major, and ransomware level breaches.
by 0xbadcafebee on 3/4/22, 3:19 PM
- The password is weak
- It is ever reused
- Anyone else has access to it
- You use it on a device you don't control
- You use it on a device which might be running malware and can intercept it
- It was stored insecurely
by rdiddly on 3/4/22, 4:35 PM
1) You don't know whether the service or site employs best practices e.g. throttling. (Although you might be able to test that yourself if you're tech savvy.) So you may have to assume the worst, and there goes Point 1.
2) You can't be sure they will report a breach if it occurs, or that the password will ever show up in e.g. haveibeenpwned. So there goes Point 3.
Point 2, you do have control over.
by cies on 3/4/22, 3:29 PM
Which a consumer of a service does not know. There's law now to force providers of services to announce leaks/breaches and there's haveibeenpwned; both are no guarantee.
Changing a password gives consumers a fresh start.
> Passwords do not age. They do not sour, spoil, or stale.
The "fresh start" does imply some sort of spoiling/ageing.
Rotating passwords (re-freshing) in the age of password managers is not that much work, for some critical accounts that may be a good thing.
by UltraViolence on 3/4/22, 2:46 PM
I highly recommend it for people that are more computer savvy. For the digital illiterates OnePass may be more suitable.
by adam0c on 3/4/22, 2:50 PM
the Hive infograpgh (amongst others) always comes to mind; 18 characters long, upper, lower, numerical, special. estimate time to brute force 438tn years.
by redbar0n on 3/4/22, 4:57 PM
by explaingarlic on 3/4/22, 3:40 PM
What? If they're not breached then that invalidates the other two points anyway - unless you can find an authentication endpoint that doesn't rate limit. HTTP proxies are expensive and trying to brute force something that is on-server is not a common attack vector.
I know its nit-picking, but the title is incendiary and warrants that.
by noasaservice on 3/4/22, 4:37 PM
Big takeaways:
Longer passwords.
No hard requirement of symbols.
Passwords don't change unless its in breach notifications online
Regular scanning of breaches for hacked login/passwords or commonly used passwords
by amtamt on 3/4/22, 3:07 PM
by 1970-01-01 on 3/4/22, 3:50 PM
by itvision on 3/4/22, 3:23 PM
Whoever came up with the idea that passwords need to be regularly changed must be shot because no one has ever proved it makes any sense.
What it actually does is that people write passwords everywhere (papers, text files, etc), thus actually lowering their security.
by voakbasda on 3/4/22, 3:12 PM
by macintux on 3/4/22, 2:51 PM
That seems like a good way to ensure people don’t use stupid passwords: public embarrassment.
by solatic on 3/4/22, 4:24 PM
a) Passwords should be easily rememberable. Pick four words are string them together (e.g. correcthorsebatterystaple). b) You must have a physical security key to authenticate - a Yubikey etc.
If those two factors are not enough, then forget working from home / mobile authentication - require people to arrive in-person and work in-person, with network restrictions on top of the two-factor authentication.
If two-factor authentication isn't enough, and IP address restrictions aren't of help to enforce know-your-user when they show up in person, then I swear, God help you. At that point, you're no longer practicing security, you're practicing paranoia.
by thejerz on 3/4/22, 3:18 PM
This assumes you'll know if passwords were exposed in a breach. Some breaches go undetected.
by zacharycohn on 3/4/22, 3:22 PM
by Zamicol on 3/4/22, 4:05 PM
The beauty of public key authentication is that there's nothing to breach on one side.
by the_arun on 3/4/22, 3:50 PM
But how confidentally we know this. Hence, people periodically change password. Or am I missing something?
by olliej on 3/4/22, 7:01 PM
by Cr0s on 3/4/22, 1:59 PM
by rasengan on 3/4/22, 3:05 PM
by Havoc on 3/4/22, 5:17 PM
Bit of an ideal conditions assumption.
If security isn’t breached then you by definition don’t have a security issue
by borplk on 3/4/22, 3:58 PM
Meaning, if your password is 10 years old it's subject to any leaks or security events during that long time frame. If it's 3 months old, anything that could have happened to it must have happened in the last 3 months which is much better than 10 years.
by jmyeet on 3/4/22, 3:17 PM
At every company I've ever worked that required password rotation, everyone just incremented a digit, usually at the end.
I also hate the completely arbitrary rules on length (I mean, why do some sites have a maximum length?). Some require uppercase and lowercase as well as digits and certain special characters and what special characters are allowed is inconsistent and completely arbitrary.
We need to focus on how much entropy [1] a password has without arbitrary rules. 20 lowercase letters is going to be better than a 7 letter dictionary word with one letter capitalized and a number of symbol on the end. In fact pretty much every password 8 characters of length should be considered cracked. 10 should probably be the absolute minimum.
by blable2 on 3/4/22, 2:44 PM
by mooreds on 3/4/22, 4:31 PM
What Should You Do?
There’s a simple checklist of improvements you can make to keep your passwords forever secret:
If you aren’t already, start using a password manager.
Use the password manager to generate strong, unique passwords for every account.
Review old accounts that contain personal, proprietary, or financial information and update their passwords using the password manager.
Never share personal facts, like your pet’s name, when required. Instead, replace a real fact with random text that you store in your password manager for later access.
Enable two-factor authentication wherever available.
Other trends I've seen:
Passwordless auth tying into WebAuthN. If a site can tie into a method secured by the OS, all the better. I'm not sure the uptake, but have seen some presentations/comments about it being a far superior UX. Also, seen some startups built (and raising $$$) around just this.
Known, trusted bigcos like Facebook (ya, I know, but they are trusted by lots of non tech folks) and Google. This has some upsides because they can secure accounts really well, and also keep on top of new security reqs like MFA. But there're plenty of HN stories about being locked out of these IdPs, so this may be a bit of a scary delegation for some.
Passwordless auth tied to email. This is great for low value, infrequently used accounts because often 'send me creds via email' is the default path anyway, usually via 'forgot password' flows.
by nu11ptr on 3/4/22, 4:01 PM
by snow_mac on 3/4/22, 10:22 PM
by farzher on 3/5/22, 2:53 AM
by whoomp12342 on 3/4/22, 2:24 PM
by andrey_utkin on 3/4/22, 2:19 PM
Key material rotation seems to be a sensible practice in general.