Martin FowlerDec 7, 2022
Me /tries to do a quick something
site: enter your password
Me: fine
site: enter your one-time code
Me: already? but fine
site: your password will expire in 6 days. Change it now
Me: 🀬
Sverker πŸ€“Dec 7, 2022
Show threadMartin Fowler

And just to make it clear. "Regular password changing harms rather than improves security."

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry

Password policy: updating your approach

Advice for system owners responsible for determining password policies and identity management within their organisations.

Dec 7, 2022 at 6:05pmWeb
Show threadDan WalkerDec 7, 2022
@mfowler can you please tell my employers that?
Show threadGaryDec 7, 2022
@rowdypixel @mfowler And the group policy editor should bring up a messagebox on that screen any time the force password change is checked and say in all caps, "THIS IS BAD!"
Show threadAGTMADCAT πŸ‡¬πŸ‡§πŸ‡ΊπŸ‡ΈπŸ‡ΊπŸ‡¦πŸ‡ΉπŸ‡ΌπŸ‡΅πŸ‡ΈDec 8, 2022
@rowdypixel @mfowler If your company is looking for a new IT Director, help me get hired and I will get that fixed in my first month on the job. =)
Show threadπŸ’‰πŸ’‰πŸ’‰πŸ’‰ Sean Houlihane πŸ•·οΈπŸ”ΆDec 11, 2022
@AGTMADCAT @rowdypixel @mfowler we have a partner who insists on 3 month password expiry to permit access to their IP. At least I have the option to refuse to be in their club. Otherwise I'd have xyz123{YY}{QQ} for a password. Let's wait for someone to ban all variations of that pattern now...
Show threadDave W SmithDec 7, 2022
@mfowler Also https://pages.nist.gov/800-63-FAQ/#q-b05
NIST SP 800-63 Digital Identity Guidelines-FAQ

NIST Special Publication 800-63 Digital Identity Guidelines-FAQ

Show threadEric GalisDec 7, 2022
@dws @mfowler I truly believe people have summarized it as above, but not considered that in order to fully disband this control, you need much better detection of and response to indicators of account compromise than many have. Is it better to not require password changes? A resounding YES - if you are really good at disabling compromised accounts.
Show threadGeoff WinklessDec 7, 2022
@ericgalis @dws @mfowler if an account is compromised changing the password will almost never fix the compromise.
Show threadEric GalisDec 7, 2022
@Geoff @dws @mfowler the most common ways an account is compromised is through password reuse or phishing, so if you identify that pattern on first login, you can prevent a lot of bad stuff from happening. Password reset times nowadays are just dwell time reducers. I agree, not particularly effective.
Show threadMisuse CaseDec 7, 2022
@mfowler And there is no evidence behind the common requirement to change passwords on a schedule, someone at NIST thought it sounded like a good idea decades ago and most of us have been forced to do it ever since.
Show threadbob.php Dec 14, 2022
@MisuseCase @mfowler i personally change mine after each dictionary attack. once they get to like the G's ill change it to start with an F 🀣 jk jk
Show threadPaul van den BergenDec 7, 2022
@mfowler I'd argue that not being able to cut and paste is a major root cause. makes using a password safe far less effective.
For machine logins, it's a lot harder. I'd argue we need to move away from domain or SSO for initial login so we can shrink the attack vector from the corporate domain to the physical machine. Then use something like Ubi key to access the physical device.
Show threadPaul van den BergenDec 7, 2022
@mfowler OK. Now I read the article. That's a fabulous resource. Thank you.
Show threadDennis Faucher  Dec 7, 2022
@mfowler It's remarkable how common this is.
"an attacker with access to the account will probably also receive the request to reset the password"
Show threadJay GaltmanDec 7, 2022
@mfowler It's such a beautiful, and rare, sight to behold when logical thought drives reduced end user friction by considering practical implications rather than a standard, guide, rule of thumb, or whatever other construct blindly followed without regard for common sense.
Show threadAsk Leo! πŸ‘πŸ»Dec 7, 2022
@mfowler Been saying that for years. https://askleo.com/is_a_periodic_password_change_a_good_thing/
Is a Periodic Password Change a Good Thing?

Changing passwords periodically is conventional wisdom. I disagree, and then discuss whether periodic password change can even happen reliably.

Ask Leo!
Show threadTech ChapDec 7, 2022
@mfowler how else will I find those VMs I left logged in.
Show threadBillStewart415Dec 7, 2022
@mfowler And a reminder that "Winter2022!" is the next Official Password.
Show threadPhil Stevens Dec 7, 2022
@mfowler Some of us have been saying this since last century.
Show threadpiofthingsDec 7, 2022
@mfowler can someone please let ISO 27001 committee know, pretty please!!!
Show threadBill Taroli Dec 7, 2022
@mfowler And, in particular, FORCED password rotation is harmful because of the human response to being forced on a schedule, in my experience, that can be as short as 30 or 60 days. So dumb.
Show threadBert LatamoreDec 8, 2022
@mfowler I have said that for years. No password is very secure. A security expert I worked with once told me that tools were available that would crack any password in a few minutes. So as long as my password is not being passed around the dark net, why should I have to replace it and make up a new one every few months? I end up being reduced to something very simple.
Show threadJessica Dec 8, 2022

@mfowler Thankfully not me, but I know someone who works at a company where the policy is to force employees to change work related passwords every three days.

Every three days.

It's not even a company working with sensitive information or handling secure documents. They work in the building trade πŸ€·β€β™€οΈ

Show threadHazardius πŸ‘—πŸ‘—πŸ‘— πŸ³οΈβ€πŸŒˆπŸ³οΈβ€βš§οΈDec 8, 2022
@Jessica @mfowler Now I wonder. Is it: Monday and Thursday, or rotating based on every 3 >work< days? It feels excessive regardless, unless they work on some govt/military buildings. 
Show threadJessica Dec 8, 2022

@hazardius @mfowler

I think it rotates every three working days, but I'll have to ask him.

And as far as I am aware, no government or military buildings. They focus on private businesses or homes.

I just wonder if there was a breach at some point and the security administrators are now hypervigilant πŸ€” Because that's the only thing that remotely makes sense, though I still think it is overly excessive.

Show threadEurosaboteur 〓〓 πŸ‡ͺπŸ‡Ί #FBPEDec 11, 2022
@Jessica @mfowler I work in tech and handle sensitive medical data. We change ours once every six months and are thinking about moving to annual. We still use the stupid symbol rule though. Longer human remomorable password phrases are far safer than short alphanumeric and symbolic trash that will inevitably be stuck into a browers auto-remember pile, totally defeating the point.
Show threadJeri DanskyDec 8, 2022
@mfowler I wish more site designers / system owners understood this. Every time I get a message that my password is too old and must be changed I get a bit grumpy.
Show threadraynor🌲 (not verified)Dec 8, 2022

@mfowler @thegrugq

I’m 100% on board with this for users.

What about accounts with root/admin access?

Show threadEat the Rich JeffersonDec 8, 2022
@mfowler How many times have I said that at companies with "change your password every 30 days, it must be >= 12 characters, no words, no repeated sub-tokens from previous passwords, include an upper and lower case letters, numbers, symbols, and untypable characters....."
Show threadCarl Gold, PhDDec 10, 2022
@mfowler wow, that’s what I always thought but I never had a study to back it up!