[InitialBP]

I'm a former red teamer - Credential spraying attacks are incredibly successful on a business that has at least a few hundred employees. Many employees not only aren't aware of why cybersecurity is important, but often go out of their way to avoid learning or implementing security best practices because they see it as an annoyance and a hindrance.

One of our most standard and most successful playbooks to find a foothold:

1. Pull employee names from linkedin

2. Find an example email for format (first.last@company.com)

3. Setup password spraying for a password like: Spring2025!

4. Leverage a tool like https://github.com/ustayready/CredKing to avoid IP blocking.

5. Get credentials and go from there...

[arcbyte]

It seems like all the corporations that still ignore NIST best practices and require password changes ever 60 days make this kind of attack much more likely to succeed.

[GoblinSlayer]

I personally don't find password counting detrimental. What's detrimental is SSO system that conflates local access password with remote access password and then often asks this password. Or has some kind of a dumb rule like "lock the machine after 10 minutes of inactivity and ask the remote password to be typed right on keyboard".

[Spivak]

Yep! The quickest way to get your users to use incredibly weak passwords and make it so they must physically type it all the time. I can have a 32 character password is unmemorizable, untypable by mortals, and even having a screenshot of it revealed would be a challenge to decipher password for services exposed to the internet. But I need something I can memorize, type with just alphanumerics, and enter quickly for my lock screen.

[ptsneves]

I havent been in a single company that does not force the rotation of passwords. I worked in 4 different F500 companies.

[mjevans]

The company I _used_ to work at, I implemented exactly that policy and only required rotation after a password reset (like initial account assignment), and should it have ever happened, after any sign of account or credential breach.

I was so happy when NIST finally recognized that people aren't machines and can't perfectly remember a new strong password with high frequency.

[robertlagrant]

Yes, that is nice. Sadly some people will say things like "HIPAA compliance requires password rotation", which is I'm pretty sure wrong, but it happens. Still, we're pushing the above NIST line as we're really keen on improving actual security, and it's nice that it has the force of NIST behind it now.

[InitialBP]

Glad to hear you guys are making progress. Password rotation is definitely more of a hindrance than a help and is a big reason that you end up with Spring2025! style passwords for sure.

I think the industry is realizing that less is more when it comes to passwords and we're starting to see far more adoption of password managers and a bigger focus on getting SAML/SSO login options for SaaS tools, even if they are often gated behind paywalls or "enterprise" plan options.

Now that I'm in a more "defensive" position my primary focus on the credential front has been pushing password manager adoption across the org and looking for good opportunities to showcase that password managers are both significantly faster and easier to use if people are willing to change their workflow.

[icameron]

LOL Spring2025! is basically my password for an agency that requires rotation every 42 days and doesn't allow any repeats of the last 24 password. Further irony is the pattern of SeasonYear! is something that I only started doing when IT had to reset my password and they used that pattern. (when the account automatically locked out because I didn't update before their 42 days)... I am completely convinced that mandatory password rotation is counter productive

[rwmj]

The company my wife uses for annual PCI-DSS recertification (a computer security / CC handling certification) requires that the password be changed every year. So that's once per login.

[mr_mitm]

I agree that this recommendation is in general counter productive, but the correct solution here is for the corporation to require 2FA for all logins on the internet. There will always be users who choose bad passwords.

[g-b-r]

If that's really the case it seems less bad to have the company provide unchangeable passwords... (if they're unable to switch to safer solutions)