Fuck spez
link
fedilink
English
103M

The current thinking as I understand it is expiry policies make most types of accounts less secure because users just cycle through the same predictable pattern of adding increasing numbers of exclamation points or incrementing the last digit at each required password change, and if you require new passwords to be too substantially dissimilar from x number of previous ones then users can’t remember them at all. Policies that make people use minimally complex passwords because they have too many to remember and don’t understand how password managers work inevitably increase password reuse between services and devices which does the opposite of improving security. Especially with MFA enforced, which I’ve been known to do as aggressively as I can get away with, there’s just no sense in requiring regular password resets – as long as the password remains complex, unique, and uncompromised. I’m not a network security expert but I am responsible for managing these sorts of things in my role and that’s the rationale I use for the group policies in a typical customer’s environment.

You’re supposed to have controls in place to prevent all of those concerns. I’m not saying passwords should be changed every 30 days, but 6 months is a long time.

But, companies with password expirations should be providing a password manager.

Create a post

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

  • Posts must be relevant to programming, programmers, or computer science.
  • No NSFW content.
  • Jokes must be in good taste. No hate speech, bigotry, etc.
  • 1 user online
  • 91 users / day
  • 116 users / week
  • 501 users / month
  • 2.48K users / 6 months
  • 1 subscriber
  • 1.6K Posts
  • 35.5K Comments
  • Modlog