[xp84]

Password rotation does nothing more than get you to use

  1234abcd@
  1234abcd@1
  1234abcd@2
  1234abcd@3

I'm becoming pretty convinced that at least in the corporate space, we'd be way better off with a required 30 character minimum password, with the only rules being against gross repetition or sequences. (no a * 30 or abcd...yz1234567890 ). Teach people to use passphrases and work on absolutely minimizing the number of times people need to type it by use of SSO, passkeys, and password managers. Have them write it on a paper and keep it in a safe for when they forget it.

This is a better use of the finite practical appetite for complying with policies than the idiotic "forcibly change it every 90 days" + "Your 8 character password needs to have at least one number, one uppercase, and one of these specific 8 characters: `! @ # $ % ^ & *`"

By the way, to quote Old Biff Tannen, "oh, you don't have a safe. GET A SAFE!"

[tharkun__]

Don't tell them. I don't want to have to enter 30 characters. And it does not help for the people you'd need it for anyway.

    1234567890a1234567890@1234567890

Better?

No, just longer to type. You can't fix stupid people by making the life of non-stupid people worse.

All you do is for non-stupid people to stop caring and do the easiest thing possible too.

[MrDrMcCoy]

That's why we recommend passphrases. That 30 character requirement becomes much easier when it's 3-4 words with a separater. Faster to type, too.

[tharkun__]

Which does nothing for the "stupid people". I.e. the ones that we put these rules into place for. They'll do what I posted instead (or something else easily guessable and the cycle continues - technological solution to a people problem, i.e. doesn't work)

[pylotlight]

I would hate to be labeled 'stupid' everytime I don't want to type some 30 dumb characters everytime I login. How about no?

[tharkun__]

Different difference ;)

I also don't want to type 30 chars, when 15 _properly randomly chosen_ characters would suffice but the "stupid people" chose those 15 characters as "passwordP@55w0rd" and now everyone requires us to write 30 instead because it's "so much more secure" when they write "passwordP@55w0rdpasswordP@55w0rd"

[xp84]

You're all missing the point.

There are different attack vectors. Yes, 15 random chars is sufficient if random, but recalling and typing 15 truly random characters is a big challenge for most everyone.

You shouldn't be having to remember and type your password for Hacker News, for Gmail, or your bank, ever, not even one time.

By making them 30 characters, you're ensuring one of two things:

A. Users at least use a passphrase such as "my dad liked to drink 6 packs of Miller Lite" which is brute-force-proof so, that's fine

B. Users who aren't masochists use a password manager properly and never have to even see their password let alone type it.

That's it, that's the whole endgame. By keeping passwords short enough to memorize and type, you're just enabling people to use P455w0rd. And if you think that only impacts stupid people, most people are stupid and many of them are in charge of keeping your data (and infrastructure, and government, etc) safe. You need them to be protected, to protect you.

[wycy]

Correct-horse-battery-staple!! is 30 characters and quick to type

[tharkun__]

Which does nothing for the "stupid people". I.e. the ones that we put these rules into place for. They'll do what I posted instead (or something else easily guessable and the cycle continues - technological solution to a people problem, i.e. doesn't work)

[bigfatkitten]

In the corporate space you should move away from passwords entirely.

Smart cards have had pretty solid ecosystem support for the past two decades thanks to the U.S. Government and HSPD-12, and now we’ve got technologies like webauthn that make passwordless authentication even easier.

[majkinetor]

And require smart card, reader, drivers etc... nah

[imtringued]

Every work laptop I've used had a smart card reader directly built into it and I've never used smart cards.

[bigfatkitten]

Or a yubikey, or a webcam, or a fingerprint sensor…

[osigurdson]

In the enterprise, the cost of inconvenience to users is effectively zero. Perhaps even negative as security theater can be a pretty effective way to convince management that something is being done.

[eru]

There's one weird trick to get people to have strong passwords (even if you force rotation): don't allow them to pick their own passwords. Randomly generate the passwords for them.

[pixl97]

Also don't allow them to copy paste the password. And especially don't allow them to use any kind of password wallet. They will really love you for this and you won't get an excessive number of calls to reset forgotten/lost passwords.

[kobieps]

Preach. Gmail doesn't force password rotation, and one can just imagine the type of attacks they must sustain...

Unfortunately corporate policies evolve at glacial speeds...

[Retric]

I’m doubtful a 30 digit minimum password is a meaningful improvement over a 20 digit password here. Meanwhile actually typing in very long passwords adds up across a workday/year especially with mistakes.

[xp84]

I think if done right, typing that password should be more like a once a quarter exception rather than a daily occurrence.

Granted - there are blockers to getting there. IDK why for example, macOS can't use Touch ID from a cold boot, that's stupid, at least when there haven't been too many failed attempts or anything.

[zimpenfish]

> macOS can't use Touch ID from a cold boot

Isn't that because the Secure Enclave (the only place which contains the Touch ID biometric data) is locked by your password?

"When a user's password is set up on an Apple Silicon Mac, the password is passed through a one-way hashing algorithm that produces a key used to encrypt the Secure enclave's key."[0]

[0] https://blog.greggant.com/posts/2023/04/14/the-security-encl...

[Retric]

Touch ID isn’t that secure. It’s fine for personal devices, but I wouldn’t trust it alone in a government or cooperate environment.

A ~1:50,000 error rate per finger added sounds fine, but lose a few laptops and have multiple valid fingerprints etc and the odds quickly look significantly worse. Or a janitor could end up trying to log into a significant number of machines etc.

[imtringued]

You're only supposed to type your password at most once a day to sign into SSO.

[Retric]

Then how do you suggest authenticating not just in the morning but after lunch, going to the bathroom, any physical meetings, etc?

[TZubiri]

"Your password is too similar to your previous password"

Hmm, how would you know that.

[Uvix]

Don't you generally have to enter the current password to change it to a new one?

[TZubiri]

Interesting. I guess you could do it on the frontend by asking for old and new passwords simultaneously and sending the hashes to the backend.

That said, it means that you can skip this check by hacking around the front end check haha

[tharkun__]

By making it less secure. Like those auth schemes back in the day that sounded great in theory until you figured out that in order to implement them the provider had to store them un-hashed. No thanks.

[throwaway843]

Hash each character.