|
|
|
|
|
|
by bostik
815 days ago
|
|
|
> surely a decent password (long, random, etc) is for all practical purposes unguessable Sadly that is not how normies use passwords. WE know what passwords managers are for. Vast majority of people outside our confined sphere do not. In short: password rotation policies make passwords overall less secure, because in order to remember what the new password is, people apply patterns. Patterns are guessable. Patterns get applied to future password as well. This has been known to the infosec people since 1990's because they had to understand how people actually behave. It took a research paper[0], published in 2010, to finally provide sufficient data for that fact to become undeniable. It still took another 6-7 years until the information percolated through to the relevant regulatory bodies and for them to update their previous guidance. These days both NIST and NCSC tell in very clear terms to not require password rotation. 0: https://www.researchgate.net/publication/221517955_The_true_... |
|
|