undefined | Better HN

0 pointsThorrez2y ago0 comments

Is blocking the last 20 passwords a bad thing? I agree the other stuff is bad, but to me, that part doesn't seem bad.

0 comments

Forced password updates are a bad thing.

If your company does forced password updates, they are not following the NIST recommendation: https://pages.nist.gov/800-63-FAQ/#q-b05

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach.

ixwt2y ago

The company I work for had a ransomware issue, so they got more zealous about security.

They require us to change our passwords every 45 days now. When I pointed out the NIST recommendations of not rotating passwords, they say they are following the guidance of the response team that helped them recover from the ransomware. And that the NIST doesn't actually deal with the real world.

b1122y ago

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach

This is a stretch. Liable? Please show the case law, or the legislation.

(My statement has no relevance to the validity of NIST's recommendations)

bluGill2y ago

Not directly. However NIST is admissible in court and so if someone sues there is now evidence that they should have known better.

1 more reply

internet1010102y ago

Internal password resets are a bad thing. It has its place in document sharing/collaboration platforms not connected to AD as an additional layer of revoking access when people leave a company.

pflenker2y ago

It leads to less security as it is more likely that the new password will just be an old one with an incremented number at the end.

cobbaut2y ago

And unless there is a minimum password age some people will just change it 20 times and then back to the same password.

thesuitonym2y ago

The worst part is it actually leads users to boasting about how they `beat the system', essentially telling their coworkers what their pattern is, making the password easier to guess.

macintux2y ago

I have long felt that organizations that require password rotation for employees should, when the users are changing their passwords, record and post the old password to an internal site (without any identification of the user) for educational (and mockery) purposes.

1 more reply

Workaccount22y ago

Myself and most people keep our login passwords written on paper in our desk because of this stupid practice. Can't use previous passwords and new password every 90 days. This is on top of 2FA.

ThorrezOP2y ago

Are you saying that "old one + number" is less secure than "old one"? That doesn't sound right.

pama2y ago

Even if this rule technically seems benign, together with the forced change it encourages users to game the system leading to predictable patterns, eg adding a rotating letter or digit combo at the end of a same password.

ThorrezOP2y ago

Is that worse than the password without the rotating letter/digit?

alistairSH2y ago

In combination with forced changes, it leads to…

Password1

Password2

Password3

Etc

pierat2y ago

The one I see that stays updatable is:

PasswordFebruary2024!

Where month and year update on the date of forced password change.

alistairSH2y ago

Oh, that's a good one. <runs off to update corporate logins>

Karellen2y ago

ITYM

hunter3

hunter4

hunter5

bluGill2y ago

I'm closing in on password100... It is the only sane thing to do, a good password is hard to memorize. (passphrases are must better, but hard to type correctly first thing in the morning and take too long when I need to type my password a dozen times a day)

ThorrezOP2y ago

Is that worse than

Password1

Etc?

swozey2y ago

I mean it's great for 99% of your passwords and pretty much forces people into using randomized generated passwords.. but I still have to remember at least ONE password by heart. Whether it's 32 characters or 16 or what not, I still need SOME way to get into my password manager to even get to my passwords. So what, I'm going to make my password tacokissies69 and.. what, add a 0 every 6 months so I pass the 20 password minimum?

So a hacker can infer that my password is tacokissies69000 of some sort..

ThorrezOP2y ago

I'm not really sure how this problem is related to banning using identical passwords as past passwords.

j / k navigate · click thread line to collapse

0 comments

meindnoch2y ago

Forced password updates are a bad thing.

If your company does forced password updates, they are not following the NIST recommendation: https://pages.nist.gov/800-63-FAQ/#q-b05

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach.

ixwt2y ago

The company I work for had a ransomware issue, so they got more zealous about security.

b1122y ago

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach

This is a stretch. Liable? Please show the case law, or the legislation.

(My statement has no relevance to the validity of NIST's recommendations)

bluGill2y ago

Not directly. However NIST is admissible in court and so if someone sues there is now evidence that they should have known better.

1 more reply

internet1010102y ago

Internal password resets are a bad thing. It has its place in document sharing/collaboration platforms not connected to AD as an additional layer of revoking access when people leave a company.

pflenker2y ago

It leads to less security as it is more likely that the new password will just be an old one with an incremented number at the end.

cobbaut2y ago

And unless there is a minimum password age some people will just change it 20 times and then back to the same password.

thesuitonym2y ago

The worst part is it actually leads users to boasting about how they `beat the system', essentially telling their coworkers what their pattern is, making the password easier to guess.

macintux2y ago

1 more reply

Workaccount22y ago

Myself and most people keep our login passwords written on paper in our desk because of this stupid practice. Can't use previous passwords and new password every 90 days. This is on top of 2FA.

ThorrezOP2y ago

Are you saying that "old one + number" is less secure than "old one"? That doesn't sound right.

pama2y ago

ThorrezOP2y ago

Is that worse than the password without the rotating letter/digit?

alistairSH2y ago

In combination with forced changes, it leads to…

Password1

Password2

Password3

Etc

pierat2y ago