[alcari]

The rationale was that if, password hashes got compromised, the attacker would only have until the next forced rotation to crack the passwords and take over accounts.

edit: or, in particularly terrible systems, if plaintext passwords were leaked.

Of course, that's only useful if it doesn't affect any other password security concerns, and it turns out that users who are forced to change their passwords frequently pick worse passwords, which is a bigger problem than the scenario this was supposed to protect against.

[function_seven]

> it turns out that users who are forced to change their passwords frequently pick worse passwords

I can vouch for this. My rotating password at work is _______1, followed by _______2, then _______3, and so on. If a year-old hash gets cracked, it won’t take a rocket scientist to know that the password right now is _______4.

[deepfriedrice]

Everyone I know does some variation of this. I'm currently enumerating gen 1 pokemon.

[d6e]

So one day you'll have "Mew" as a password?

[Already__Taken]

No silly, "MewMewMew" when it's too short.

[Infinitesimus]

"M3wM3wM3w*" to satisfy special character requirements

[zie]

Get a password manager already, and let it just generate random passwords for you. Typing in passwords is so lame. :) If you are on macOS I highly recommend https://github.com/ravenac95/sudolikeaboss (and by extension 1Password).

[function_seven]

I use a password manager. The password in question is one I type all the time, in dozens of different contexts, on a computer I don’t own and can’t modify :(.

[nommm-nommm]

I can't log into work computers using my password manager.

[Tactic]

This would be fantastic if work allowed me to install one. Sadly, some of us work in locked down environments so resort to such silliness to get through the work day.

[zie]

I'm sorry. that sucks. That's just stupid. I could see employers requiring you to use their password manager, but ugh, not allowing use of one is just gross.

That said, lastpass can work without any modifications to your local machine(i.e. it can work without any browser plugins even) tho it's not very fabulously integrated, it does work... Assuming of course they don't block access to the lastpass website and JS.

[function_seven]

Does it work to allow me to log in to my machine or to unlock it? (Serious question. If so, then I will happily use a 16 character blob of entropy)

[nommm-nommm]

How do I login to lastpass.com when I need my password to unlock my work computer to get to lastpass.com?

[user5994461]

> The rationale was that if, password hashes got compromised, the attacker would only have until the next forced rotation to crack the passwords and take over accounts.

In all fairness, it's a fair assumption. There is an attack vector where one gets an old password from 8 years ago by whatever means... and it is still valid.

The execution was terrible though. People started forcing password change every month [which is overkill to stop an attack that has a multi year timespan] and it created a whole new set of disasters.

[dmfdmf]

Or put them on a yellow sticky under their mouse pad.

[guelo]

A sticky note is very secure against remote attackers.

[benchaney]

Which is good enough in most cases. If an attack can walk in and physically tamper with you computer peripherals you generally have bigger problems.

[hackuser]

As a very general rule, most attackers are insiders.

[user5994461]

Insiders are easier to identify and deal with. Be it a rogue employee or a nasty sister.

[mulmen]

There is no password policy that protects against rubber hose cryptanalysis.

[e12e]

Sure there is. I believe the classical approach is cyanide in a false tooth.

[AstralStorm]

A less classical is divulging a self destruct/lockout password.

Pity so few systems support this.

[jon-wood]

That's going to go badly for you the moment the attackers realise what you've done. Admittedly they'll no longer be able to compromise the account, but you better really care about that.

[nkristoffersen]

related: https://xkcd.com/538/