Password rotation does nothing more than get you to use
1234abcd@
1234abcd@1
1234abcd@2
1234abcd@3
I'm becoming pretty convinced that at least in the corporate space, we'd be way better off with a required 30 character minimum password, with the only rules being against gross repetition or sequences. (no a * 30 or abcd...yz1234567890 ). Teach people to use passphrases and work on absolutely minimizing the number of times people need to type it by use of SSO, passkeys, and password managers. Have them write it on a paper and keep it in a safe for when they forget it.
This is a better use of the finite practical appetite for complying with policies than the idiotic "forcibly change it every 90 days" + "Your 8 character password needs to have at least one number, one uppercase, and one of these specific 8 characters: `! @ # $ % ^ & *`"
By the way, to quote Old Biff Tannen, "oh, you don't have a safe. GET A SAFE!"
Which does nothing for the "stupid people". I.e. the ones that we put these rules into place for. They'll do what I posted instead (or something else easily guessable and the cycle continues - technological solution to a people problem, i.e. doesn't work)
I also don't want to type 30 chars, when 15 _properly randomly chosen_ characters would suffice but the "stupid people" chose those 15 characters as "passwordP@55w0rd" and now everyone requires us to write 30 instead because it's "so much more secure" when they write "passwordP@55w0rdpasswordP@55w0rd"
Which does nothing for the "stupid people". I.e. the ones that we put these rules into place for. They'll do what I posted instead (or something else easily guessable and the cycle continues - technological solution to a people problem, i.e. doesn't work)
In the corporate space you should move away from passwords entirely.
Smart cards have had pretty solid ecosystem support for the past two decades thanks to the U.S. Government and HSPD-12, and now we’ve got technologies like webauthn that make passwordless authentication even easier.
In the enterprise, the cost of inconvenience to users is effectively zero. Perhaps even negative as security theater can be a pretty effective way to convince management that something is being done.
There's one weird trick to get people to have strong passwords (even if you force rotation): don't allow them to pick their own passwords. Randomly generate the passwords for them.
Also don't allow them to copy paste the password. And especially don't allow them to use any kind of password wallet. They will really love you for this and you won't get an excessive number of calls to reset forgotten/lost passwords.
I’m doubtful a 30 digit minimum password is a meaningful improvement over a 20 digit password here. Meanwhile actually typing in very long passwords adds up across a workday/year especially with mistakes.
I think if done right, typing that password should be more like a once a quarter exception rather than a daily occurrence.
Granted - there are blockers to getting there. IDK why for example, macOS can't use Touch ID from a cold boot, that's stupid, at least when there haven't been too many failed attempts or anything.
Isn't that because the Secure Enclave (the only place which contains the Touch ID biometric data) is locked by your password?
"When a user's password is set up on an Apple Silicon Mac, the password is passed through a one-way hashing algorithm that produces a key used to encrypt the Secure enclave's key."[0]
Touch ID isn’t that secure. It’s fine for personal devices, but I wouldn’t trust it alone in a government or cooperate environment.
A ~1:50,000 error rate per finger added sounds fine, but lose a few laptops and have multiple valid fingerprints etc and the odds quickly look significantly worse. Or a janitor could end up trying to log into a significant number of machines etc.
By making it less secure. Like those auth schemes back in the day that sounded great in theory until you figured out that in order to implement them the provider had to store them un-hashed. No thanks.
This is a better use of the finite practical appetite for complying with policies than the idiotic "forcibly change it every 90 days" + "Your 8 character password needs to have at least one number, one uppercase, and one of these specific 8 characters: `! @ # $ % ^ & *`"
By the way, to quote Old Biff Tannen, "oh, you don't have a safe. GET A SAFE!"