abunuwas 2021-04-19 16:05 UTC link

I welcome websites removing mandatory password rotation. And it's true that rotating passwords doesn't necessarily reduce the chances of having it brute-forced. But that's not the point of changing passwords every so often. Rotating passwords is useful because a security vulnerability in the site or some mistake on your part can get the password exposed. You're not trying to protect yourself against super hackers (that's the website's responsibility), but against your own mistakes.

ocdtrekkie 2021-04-19 16:07 UTC link

It's no longer a recommended industry standard, but unfortunately, it is still basically required, because many compliance policies have not updated. I would be shocked if at least some of Microsoft is still required to employ password rotation policies because of their own compliance requirements.

At least one policy I am looking at maintains the 90 day rotation requirement if you use basic password authentication, but offers alternative options for compliance with other authentication features. But even most of those tend to have yearly rotation requirements.

post_break 2021-04-19 16:07 UTC link

Tell that to my office 365 please. I'm sick of changing it. It's stressful for me and I'm often worried I'll get locked out at a very bad time.

qw3rty01 2021-04-19 16:08 UTC link

The article kinda misses the reason why mandatory password changes existed in the first place -- unknown breaches. The idea was that if there was an undetected breach, the attacker would have a maximum of the mandatory password change to use credentials. You would still have mandatory password changes upon discovering a breach, which would reset the counter. And the article wasn't very clear as to why this is no longer recommended, but when mandatory password changes are enforced, users tend to make new passwords which are trivial to crack if you have a known old password. So if there's an unknown (or even known) breach, users will tend to make a new password which an attacker can easily guess given the older known passwords, losing any benefit gained from mandatory password changes. And this is worse than not having mandatory password changes, because rare password changes (when a breach is discovered) don't put people into the habit of just iterating off of an old password.

wil421 2021-04-19 16:09 UTC link

The company I work for is one of the large(est) “FinTech” conglomerates. After talking to a lot of our security folks they agree about not changing passwords but are unable due to PCI and Federal standards/audits.

We have to adhere to outdated security practices simply because the auditors will flip out and the documented controls in government mandates. Section “10.12.3.4” says you must rotate passwords.

tylermenezes 2021-04-19 16:14 UTC link

Fun fact, Microsoft requires all their vendors to have mandatory password rotation.

cryptica 2021-04-19 16:35 UTC link

Mandatory password changes never made any sense. It's especially terrible when systems don't allow users to re-use previous passwords.

It forces users to keep inventing new passwords which they can never remember, then they end up writing the passwords on post-it-notes and sticking them on their computer screens where everyone can see.

Same issue with forcing people to use special characters in their passwords; it makes people choose passwords that they can't remember.

I've used systems where the situation became so out of control that I literally had to go through the entire 'forgot your password' (reset password) flow every single time I wanted to log in. That was the fastest way for me to log into that service.

pianoben 2021-04-19 16:42 UTC link

Microsoft has been saying this since before FTA, but nobody seems to have told corporate IT. When I was there (2015-2019), we had to change our passwords every six months.

kipchak 2021-04-19 16:46 UTC link

I believe this has been Microsoft's guidance as far back as 2016, with the caveat of using Azure AD risk analysis /MFA.[1]

>Password expiration policies do more harm than good, because these policies drive users to very predictable passwords composed of sequential words and numbers which are closely related to each other (that is, the next password can be predicted based on the previous password). Password change offers no containment benefits cyber criminals almost always use credentials as soon as they compromise them.

>Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. Experiments have shown that users do not choose a new independent password; rather, they choose an update of the old one. There is evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with and then change them in predictable ways that attackers can guess easily.

>One study at the University of North Carolina found that 17% of new passwords could be guessed given the old one in at most 5 tries, and almost 50% in a few seconds of un-throttled guessing. Furthermore, cyber criminals generally exploit stolen passwords immediately.

[1]https://www.microsoft.com/en-us/research/wp-content/uploads/...

artful-hacker 2021-04-19 16:49 UTC link

The guy who first recommended rotation "has since come out and apologized about the first iteration of the NIST guidelines"[1]

Password rotation has always been a bad idea.

https://labs.bishopfox.com/industry-blog/2018/08/password-se...

gonehome 2021-04-19 17:10 UTC link

Agreed - there's so much I find frustrating about how companies manage passwords in addition to mandatory changing.

- Maximum length requirements (often secret until you try to put a password in)

- Requiring some symbols, but not others

- Silent truncation of the the password without telling you

- Failure because the password is too long, but the error says something else (like missing symbol)

This isn't just small unknown companies either. If you use a password longer than 32chars in Zoom when creating your account it just truncates the remaining without telling you. Login works on the websites, but if you try to login via the client it fails. If I manually backspace to 32chars it works. I tried to tell it to their US Twitter support and they just kept sending me a password reset link so I gave up (they're a bad company anyway [0]). Tmobile's website used to do the same thing, except worse because it would truncate on creation but not on validation.

How is this not standardized in some sane way?

An old credit union I was part of in NY (SEFCU) mandated passwords with exactly 6 characters. When I complained about this I was told it was secure because they forced one of the characters to be a symbol.

[0]: https://zalberico.com/essay/2020/06/13/zoom-in-china.html

ben509 2021-04-19 17:22 UTC link

> Microsoft employee Aaron Margosis said the requirement is an “ancient and obsolete mitigation of very low value.”

That kind of magical thinking is what got us mandatory password rotation in the first place.

Password rotation has a kernel of truth: automated credential rotation really works, and sometimes you need to force manual rotations to migrate to a newer hash algorithm, and I'll bring up another reason for it.

But the main reason we have password rotation is people have some magical belief that a credential gets "old" so we have to freshen it up.

Security rules are the same: they work, or they don't, and that can be very complicated due to human factors. But they don't "get old" and magically lose their effectiveness. If password rotation is broken, it's always been broken.

> Chief among them, the requirements encourage end users to choose weaker passwords than they otherwise would. A password that had been “P@$$w0rd1” becomes “P@$$w0rd2” and so on.

Not true. If they hadn't been forced to rotate, they would have stuck with P@$$w0rd1 the whole time, and P@$$w0rd2 is not weaker than that.

> At the same time, the mandatory changes provide little security benefit, since passwords should be changed immediately in the event of a real breach rather than after a set amount of time prescribed by a policy.

There is a clear benefit, especially for large enterprise systems: a periodic password change does put a limit on when the attacker could have used the password.

So when a credential is exploited, if you're rotating yearly, you only need to search back at most a year to figure out the scope of the breach.

I don't know how much of a benefit this is, in practice. Maybe someone who has done a real log dive can comment.

The only certainty is that you must never have passwords older than logs.

> If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password?

They get this right.

jimnotgym 2021-04-19 17:46 UTC link

I knew an old hack IT guy who had a spreadsheet full of users passwords which he obtained through demanding them when their computers needed fixing. Rotation dealt with that particular issue!

Then somewhere else I read an IT policy that said 'You will be assigned a password by IT, do not change it.'

I have seen numerous cases of IT support asking users passwords to make fixing a machine more permanent. I have seen more than one where they kept that record.

I have also seen lots of cases of, 'I have their passwords so I can log in to their email when they are away'. We know it is stupid, but these smart people didn't.

That is why I still rotate passwords, I know some will be compromised internally. I do it on a slow schedule though.

korethr 2021-04-19 18:00 UTC link

And yet, there are Fortune 100 financial institutions that require their vendors to have a policy of mandatory 30 day rotation for sysadmins and 90 days for non-privileged persons. Companies that don't have and enforce said policy are unqualified for the privilege of vendorhood. Pointing out this Microsoft paper, the NIST guidelines, or the NCSC guidelines will just get the subcontracted droids giving you a negative mark on your annual vendor security assessment.

No, I am not jaded or bitter on this topic. Why do you ask?

nixpulvis 2021-04-19 18:16 UTC link

Rotating passwords every so often is good advice, and I find it unlikely to discover a good reason not to.

With a password manager, this process is pretty painless, if not automatic.

Mandating it for my Hello Kitty: Island Adventure account seems a bit heavy-handed though.

Rather than pulling back the recommendations, we should really be implementing open standards for automatic rotations that don't rely on reverse engineering / implementing various third party reset password flows.

slver 2021-04-19 18:36 UTC link

Isn't it weird when all of us individually knew forced password change is more harm than benefit, but it took literally decades for this to become institutionally admitted?

Just imagine, maybe a subset of neurons inside your brains have amazing ideas that could change your life, but it might take decades (or never) for them to surface to the conscious level where you realize "oh, I have an idea".

How to make sure organizations are not less than the sum of their parts?

dathinab 2021-04-19 19:09 UTC link

I would go further: "passwords are ancient and (should be) obsolete".

If you can don't rely on passwords, use hardware security keys and protocols like U2F and other FIDO2 related protocols. Sure you might still have a pin, but now you rely much less on it so it can be much simpler.

If you can't use word phrases instead of passwords, e.g. 4 randomly selected words, and yes randomly selected for the user, not choose by the user. But with a way to "re-roll" when setting the pass phrase.

As a side effect of being more secure (then normal remembered passwords) and easier to remember. As a benefits they are also easier to insert on phones with swipe keyboards and have some nice tricks wrt. internationalization you could use. (Make sure they still work with password managers.)

Practically maybe not possible currently, but if you already rely on a password manager there is technical very little reason not to replace passwords with a U2F/FIDO like process connecting to the password manager. This might be less secure than a HSK but still nice. Ah, anyway that's currently not a think.

Lastly if your service isn't generally "security sensitive" and login sessions tend to be long consider login links send to your password reset email. Especially if combined with password-less fido auth based on the browser + TPM this can be a nice approach (you use password-reset-like links to setup password-less fido auth on the given device).

freeflight 2021-04-19 19:22 UTC link

Tbh I don't trust passwords to keep my accounts save, it's 2FA all the way.

Passwords have this nasty tendency to get leaked, one of my older e-mail accounts is listed in 12 different breaches on haveibeenpwned.com

And while the ideal is not to reuse passwords, keeping that practice up with the number of accounts that are nowadays required with a somewhat digital lifestyle is kind of impossible, short of using a password manager.

But then you are locked into a password manager and gotta hope it works on all the devices you gonna need your passwords on or else you will be stuck manually putting in long and complex passwords.

rootusrootus 2021-04-19 19:33 UTC link

I blame Microsoft for most of the password policies my company implemented years ago and won't change. Mandatory password changes included.

While on my soapbox, I'd like to tell them that it's really dumb to count multiple attempts of the same password individually and then lock you out after you attempt the same password three times. And your most recent password should count as zero attempts. These kinds of dumb policies only hurt legitimate users and do nothing to improve actual security.

raldi 2021-04-20 02:11 UTC link

Best password policy I ever lived under was the graduate computer lab at the university. The admins just left a password cracker running continuously, and when it got your password, it was time to change it.

dheera 2021-04-19 16:12 UTC link

Yep. Every time a website asks me to rotate a password I end up using a bad password for a while and rotating it later.

ocdtrekkie 2021-04-19 16:12 UTC link

Yeah, I think there's value in it, but if you don't have a way to prevent "plus one passwords", it probably isn't super effective anyways. It may be a case where frustrating the user four times a year isn't worth it... maybe just frustrating them once a year will lead people to put more effort into making their passwords suitably different.

cratermoon 2021-04-19 16:19 UTC link

You'd have to make users change their password every day to fend off undetected breaches now.

muttled 2021-04-19 16:28 UTC link

A better focus for security efforts is detection of compromise. For example, say you detect a user has signed in from 2 different countries in a short window or perhaps malware signs are discovered in their cloud storage. Perhaps MFA is failing often for a user meaning an attacker is successfully using a password but is unable to get past confirmation on the user's phone.

muttled 2021-04-19 16:40 UTC link

Wording is important too. You can't say something you'd like to move to "no passwords." You might get further with "password-less."

aequitas 2021-04-19 16:44 UTC link

I can't honestly think of any website that enforces password rotation. Except for corporate application websites, which I would consider application's that fall under my companies password security regime.

I wouldn't want to image a world where every website would force me to rotate my password, each with it's own interval and method. Imagine the upkeep time cost.

artful-hacker 2021-04-19 16:45 UTC link

PCI-DSS is commonly cited as having this requirement, and its a huge pain in my ass.

naikrovek 2021-04-19 16:54 UTC link

do attackers wait to use passwords months after they've compromised those passwords? or, do they give themselves other ways to maintain their access so that no passwords stand in their way from that point on?

it's the latter, not the former. once you're compromised, passwords, changed or not, are no longer an obstacle at all.

password rotation does not increase security.

user3939382 2021-04-19 16:58 UTC link

To clarify, he was apologizing for everything in those obsolete guidelines including the complexity requirements. Apparently DHS didn't get the memo: https://studyinthestates.dhs.gov/sevis-help-hub/sevis-basics...

bombcar 2021-04-19 17:06 UTC link

Mandatory password rotation does help in one place - when passwords to an account are shared.

So if Microsoft Employees 1,2,3 share a password to Vendor X's system, and employee 2 moves to another part of the company or leaves, the shared password will eventually change and employee 2 won't know it anymore.

withinrafael 2021-04-19 17:12 UTC link

And NIST. https://pages.nist.gov/800-63-FAQ/#q-b05

andi999 2021-04-19 17:19 UTC link

Actually the fastest possible way to detect unknows breaches on the user side is to show your last login time. (On the server side is looking for IP patterns)

mr_smith434 2021-04-19 17:20 UTC link

My favorite is silent truncation on the signup page but not on the login page.

> I paste in my password. It gets cut off to N characters by the form. > I paste that same password on the login page. There is no character limit on the login form.

0xffff2 2021-04-19 17:27 UTC link

Huh? Microsoft doesn't require password rotation AFAIK. Are you talking about a work account where your org has mandated password rotation?

vladvasiliu 2021-04-19 17:32 UTC link

> Silent truncation of the the password without telling you

Bonus points for truncating the password differently in the login form and the password change form. Now you can't login anymore!

> Failure because the password is too long, but the error says something else (like missing symbol)

A few years ago the local City government in Paris put out some new app to pay for parking. You'd have to create an account and give them your credit card[0]. When I say they had some ridiculous maximum password length, something like 8 characters, I decided that I could actually take the five minutes to pay in person.

I haven't tried the app ever since, so no idea if this crazy limitation is still in effect.

---

[0] There was no option to give the credit card on each payment, they had to save it on file. Of course, they weren't aware that local banks were rolling out credit cards with changing verification codes, so some cards would've had to be re-entered anyway...

xxpor 2021-04-19 17:37 UTC link

My understanding is the biggest driver of still having mandatory password rotation is PCI (the payments security requirements, not the bus)

jackson1442 2021-04-19 17:41 UTC link

> An old credit union I was part of in NY (SEFCU) mandated passwords with exactly 6 characters. When I complained about this I was told it was secure because they forced one of the characters to be a symbol.

For a bank?! And here I am complaining that Chase doesn't support application-based OTP. I hope you ran far far away from that CU.

strifey 2021-04-19 17:53 UTC link

Schwab used to do the "silently truncate to 8 chars" fail, but they _also_ silently changed all chars to upper/lower so the password was case insensitive.

Still can't believe they were allowed to have such a bad and secret password policy for so long.

hobs 2021-04-19 17:54 UTC link

I have worked for several companies where when I started they actively promoted this practice to make it "easier" for devs to "fix" things.

Each time it has been a huge political battle to get people to do the most basic not insane things to have even the most basic security.

I bet there's a looot of company websites where CompanyName123 is the default password.

TranceMan 2021-04-19 18:05 UTC link

Is this similar to Enigma decoding - whereby the 'encoding' key was reasonably predictable and not random due to new keys being required to be generated regularly?

ajford 2021-04-19 18:22 UTC link

A shitty local bank back home truncated without telling you as well. Didn't realize it until they rolled out a mobile app and my password didn't work. After complaining about it, a friend who worked at said bank as a teller said to try truncating to 8 chars and it worked. :rage:

Apparently it was known internally, as they used some ancient system behind the scenes that would only support a max of 8 chars, and the website just truncated your password and passed that on. The new app didn't truncate and would get an error response.

kelnos 2021-04-19 18:40 UTC link

> Rotating passwords every so often is good advice

Why, though? The article debunks, with evidence, the usual reasons people give for requiring rotations.

If something we doesn't measurably increase security, we should scrap it.

nixpulvis 2021-04-19 18:41 UTC link

I should add that a password which you actually need to remember, like the master password to a password manager, should never be used online. The more isolation you can maintain the better. This way offline attacks against stolen hashes are unlikely to find anything, since they will only contain randomly generated passwords.

robbyking 2021-04-19 19:59 UTC link

> These policies drive users to very predictable passwords

I used to do a lot of contract work for the Clarke County School District in Athens, GA. For "security" reasons they weren't able to create domain accounts for people who weren't full time employees, so I'd often have to track down the IT manager to gain access to servers I was working on.

He eventually got sick of having to drop what he was doing a dozen times a day, so one day he just gave me his password: a dictionary word followed by the number 23. Eventually the password failed, and he gave me his new password: that same dictionary word followed by a 24.

Fast forward a few years and I'm back installing some updates, and before I get to work he hands me a slip of paper, on which he had written Dictionaryword29.

dredmorbius 2021-04-19 20:18 UTC link

Rotating (or required change) on some circumstantial criterion (the old password is know or suspected to be compromised, system update, etc.) is entirely valid.

Forced scheduled frequent password updates are not and worsen rather than improve security. That's the point here.

In environments in which data leakage probability is high, and detection capabilities poor, periodic password changes are a defensible risk-mitigation measure, though in practice unless new tokens are themselves robust, the practice backfires. The problem is that both sides of the risk calculus need to be considered --- compromised token validity period, and token strength. People being people, the first is actually the safer risk to take.

marcosdumay 2021-04-19 20:21 UTC link

The fact that all of those are created to circumvent some other stupid and baseless security policy speaks loudly. (Except the second, that one is the policy itself.)

krupan 2021-04-19 20:47 UTC link

This!! Passwords are old and obsolete. We should have stopped using them years ago

pitaj 2021-04-19 20:53 UTC link

Recently had a long discussion over email with an executive security officer of my company regarding this topic. Their conclusion was basically "until the standards change this is how it will be".

sneak 2021-04-19 21:30 UTC link

> Isn't it weird when all of us individually knew forced password change is more harm than benefit, but it took literally decades for this to become institutionally admitted?

The US bank I recently opened an account with (in 2021) is in the S&P 500, publicly traded. The only form of 2FA they support is SMS or some proprietary hardware keychain LCD thing they don't give out for free (which I assume is the M+A great grandchild of those RSA TOTP fobs that were the fad in the 90s).

It's not weird. Most security organizations are wholly incompetent, doing cargo cult security nonsense "because that's the way we've always done it".

hsbauauvhabzb 2021-04-19 21:31 UTC link

It’s worth noting that MFA solves credential sprays but not targeted phishing

Editorial Channel

What the content says

Structural Channel

What the site does