undefined | Better HN

0 pointsn4r91y ago0 comments

> yes, when all password hashes were available to all users, and therefore had an expected bruteforce/expiration date.

Pretty much anyone I've spoken to candidly about rotating passwords has said that they use a basic change to derive the next password from the old. For example, incrementing a number and/or a letter. If that was as common a practise as I suspect, then rotating passwords doesn't add much security. It just meanstthat hackers had to go through a few common manipulation strategies after breaking the hash.

0 comments

Jerrrrrrry1y ago

This is actually the third-order effect of itself, by itself.

Require frequent passwords, humans cheat, boom: your brute-force space just went from 1024 bits to 14, assuming you can onboard a red-team plant far enough to get the template for the default passwords.

If I know _bigcorp_ gives defaulted credentials in the format of [First Initial + Middle Initial + month_day] then not only can I piggyback a trivially-created IT/support ticket, I can also just guess that in 60, 90, 120 days, your credentials are the same, but the month_day - even if not correct, the search space is reduced by magnitudes.

j / k navigate · click thread line to collapse

0 comments

Jerrrrrrry1y ago

This is actually the third-order effect of itself, by itself.

j / k navigate · click thread line to collapse