[Rudism]

Those users signed up for a service with poor security controls (no 2FA, no requirement to rotate passwords at regular intervals) and then checked a box saying "share my data with other accounts."

So while I agree with you that those users are not responsible for the accounts that were actually compromised, they were fully responsible for sharing their data on that service without fully thinking the implications through. 23andMe is not blameless--it's their poor security controls that allowed it to happen in the first place--but I strongly feel people do not take security and privacy as seriously as they should and as a result do share at least some of the blame.

[gkbrk]

> no requirement to rotate passwords at regular intervals

Password rotations are dumb and do not improve security.

[Rudism]

Is that true though? I agree they're annoying and in an ideal world where users don't reuse passwords or leaked hashes can't be broken they'd be pointless--but in this case I think it certainly would have protected at least some of the accounts that were reusing breached passwords. Is there actual evidence/research that proves password rotation has no effect on security in the event of breaches?

[ziddoap]

>Is that true though?

NIST, Microsoft, etc. didn't decide to change their minds (to now explicitly discourage arbitrary expiration) out of the blue.

See:

https://web.archive.org/web/20180603140100/https://www.cs.un...

>Using this framework, we confirm previous conjectures that the effectiveness of expiration in meeting its intended goal is weak.

Also see:

https://people.scs.carleton.ca/~paulv/papers/expiration-auth...

>in sum, these security-specific observations and the results in Section 3 suggest the security benefit of password aging policies are at best partial and minor. Combining this with the well-known and widely experienced (negative) usability impact of password aging policies, and results [18] mentioned earlier on high predictability of new passwords from knowledge of old, the burden appears to shift to those who continue to support password aging policies, to explain why, and in which specific circumstances, a substantiating benefit is evident.

And:

https://discovery.ucl.ac.uk/id/eprint/20247/2/CACM%20FINAL.p...

>Although change regimes are employed to reduce the impact of an undetected security breach, our findings suggest that they reduce the overall password security in an organization.

There have been several more, and I'm sure that NIST and others did their own additional analysis prior to changing their recommendations which may not have been made public.

[Rudism]

Fair enough. Seems like the conclusions drawn are not that it doesn't improve security, rather it does not improve security enough to justify the added burden to users and support staff.

I'd venture that this 23andMe situation is one of the scenarios where password expiration could have significantly improved the outcome, but I concede that it was a poor example for me to use.