JoshMay 28, 2023
Zorin =^o.o^=

I really hate password/PIN code expiration. It WORSENS security, because you're forced to remember a new password/PIN and after forgetting it a few times will probably write it down. Or you might be tempted to use an easier to remember and less secure password.

NIST no longer recommends expiring credentials regularly. PLEASE STOP DOING THIS.

May 12, 2023 at 5:53pmWeb
Show threadLutruloMay 12, 2023
@zorinlynx Shout-out to my employer that requires password changes every *three months*.
Show threadOtterSparx | ΘΔ 🦦 | ☀️🌒 | 🔜 FWAMay 12, 2023
@Lutrulo @zorinlynx My current employer also does this, but my previous one required it every single month. It was madness.
Show threadTangoMay 13, 2023
@Lutrulo @zorinlynx we have to change the codes for our phones every 3 months. Until recently, passwords were every 2.
Show threadZorin =^o.o^=May 14, 2023
@tango @Lutrulo Hopefully work phones? I'd be angry if I were forced to do that on my personal phone for work.
Show threadMiakoda May 12, 2023
@zorinlynx Password managers are your friends (except LastPass!)
Show threadPauliMay 13, 2023
@hellomiakoda @zorinlynx Yeah I thought using a Password Manager is the way to go in those scenarios? Otherwise I would have to remember a save password for each website and that would be impossible for my little human brain :(
Show threadAndrewMay 13, 2023
@atzetonfree @hellomiakoda @zorinlynx they don’t help much when the password that resets is what unlocks the computer.
Show threadRocksToReplicatorsMay 12, 2023

@zorinlynx It's also been the advice of NCSC for many years

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#:~:text=The%20NCSC%20is%20working%20to%20reduce%20organisations%27%20reliance,your%20wider%20access%20control%20and%20identity%20management%20approach.

Password policy: updating your approach

Advice for system owners responsible for determining password policies and identity management within their organisations.

Show threadJohannes Silverfox 🦊May 12, 2023
@zorinlynx NIST doesn't recommend it, but it's likely set in stone in various industry standards and practices (and set at 90 days no matter what, apparently).
Show threadAvocate du gras sucré saléMay 12, 2023
@zorinlynx huhuhuhu *use 10 variations of the same password on every website and softwares in existence*
I like to live dangerously
Show threadsmartwatermelon May 13, 2023
@zorinlynx @thatKomputerKat please tell PCI, SOC2, and FedRAMP
Show threadMichael HannemannMay 13, 2023
@zorinlynx Microsoft no longer recommends it either! And yet they made me do it. :-(
https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations
Password policy recommendations - Microsoft 365 admin

Make your organization more secure against password attacks, and ban common passwords and enable risk-based multi-factor authentication.

Show threadTommi KomulainenMay 13, 2023
@zorinlynx does NIST have an executive summary I could forward to the security team?
Show threadArgot_RobbieMay 13, 2023

@zorinlynx @jkfecke Agree.

It actively punishes people who are willing to memorize secure passwords, and does nothing to correct the habits of those who create lazy passwords from their kids' names.

I used to memorize and never write down. I had to give that up.

Extra credit to organizations with 5 domains who make you change all 5 passwords every 75 days.

Show threadJamie BoothMay 13, 2023
@zorinlynx tell my auditors. Seriously. My company would change our policy, but the auditors won't pass it.
Show threadBaral'heia Stormdancer ΘΔ🐲May 13, 2023
@zorinlynx I personally use a randomly-generated password card to generate my passwords that I keep with me at essentially all times. That way all I have to remember is the column and row of the first letter, plus the direction. It's not perfect but it does help me be a bit more secure when passwords get expired. They can be generated from multiple sources, here's just one example of what one looks like:
Show threadKonomi KittenMay 13, 2023
@baralheia @zorinlynx oh I like that ~
Show threadThe DoctorMay 13, 2023
@zorinlynx Don't forget places that make you change your username regularly, too. Like my last two 401(k) providers. 
Show threadclacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛May 14, 2023
@drwho @zorinlynx Change your *username* regularly??
Show threadThe DoctorMay 14, 2023
@clacke @zorinlynx Yup.
Show threadMrs Mouse at workMay 14, 2023
@drwho @zorinlynx
My previous 401(k) provider was bad enough that I just called the 800 # each time and had them mail me stuff.
Show threadGordon J HoltslanderMay 13, 2023
@zorinlynx https://go.bitwarden.com
Show threadOasus Plainsview May 13, 2023
@zorinlynx I have a password manager specifically so I don't need to remember passwords anymore @.@
Show threadJessica CourtneyMay 13, 2023
@zorinlynx @kentindell My bank demands password change every 3 months. It takes a few iterations to motivate me, so approx every 15 months I write a terse email, with links to security advice, asking them to stop. Which they ignore.
Show threadRupert ReynoldsMay 13, 2023

@zorinlynx Back in March 1988, we had already learned a lesson from password rules (5 characters, changed monthly) when a security admin used Mar88.

The password was misused within the building only (no remote access) but the causes were understood and talked about 35 years ago!

(The password for April was a complete mystery!)

Show threadTC FoxMay 14, 2023
@zorinlynx @kyhwana Unless government requirements still require your organisation to change passwords regularly. Looking at you, New Zealand Information Security Manual, you archaic piece of shit 😒
Show threadFerles  May 14, 2023
@zorinlynx I wish my office would stop requiring this, but, from what I understand, it is an insurance requirement.
Show threadShadSterlingMay 14, 2023

@zorinlynx and if you refuse to stop, at least provide some advance warning, don’t authorize me by locking me out until I update it

When I’m on the subway trying to look something up right quick on my phone, those lockouts turn it in to something I can’t even think about until the end of the day

Show threadLotneuvMay 14, 2023
@zorinlynx What is wrong in writing passwords down on a paper (not in a plain text file)? In most cases that paper is in physically secured location. As long as the paper is not clearly available to your family nembers, guests or co-workers it should perfectly safe.
Show threadTheta SigmaMay 14, 2023
@zorinlynx this is particularly true if, as some workplaces do, you’re required to change your password every month, because that’s simply far too frequently to commit a serious password to memory, particularly if you have multiple passwords to remember. (My first long term job - when I left I had just updated my password to letmein62).
Show threadRHDMay 14, 2023
@zorinlynx got our password policy changed nearly 10 years ago for this reason but it was a battle at the time!
Show threadSijmenMay 14, 2023
@zorinlynx Not to forget the pain in the ass of having to log in everywhere again if it's single sign-on, including stuff like the company VPN and Windows asking you to lock and unlock your PC like three times
Show threadResunaMay 14, 2023
@zorinlynx I brought this up at work and was told it's still required by some government security standard we have to adhere to.
Show threadLightfighterMay 14, 2023
@zorinlynx Right after we stop taking off our shoes and having liquids banned entering airport security areas.
Show threadparltrack.orgMay 14, 2023
@zorinlynx obligatory reference: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
NIST Special Publication 800-63B

NIST Special Publication 800-63B

Show threadmauvedeityMay 14, 2023
@zorinlynx hilariously, my EPMs mandate the use of a password manager which regularly expires its password. So I get the worst of all worlds.
Show threadHelena Jambor 💔 🇮🇱 🇺🇦May 14, 2023
@zorinlynx precisely, my hospital password is neatly written down as I have to change it every 3 months!
Show threadKarl Voit  May 14, 2023

@zorinlynx Remembering passwords? Aren't you using an open source based local password manager? And FIDO2? TOTP as a fallback?

I hardly need to remember more than maybe five passwords...

Show threadWiebke FreyMay 14, 2023
@zorinlynx Please explain to my university. New password every 3 months (!!!) , plus 2FA... Ggrrrrrrr
Show threadjohanvosMay 15, 2023
@zorinlynx I remember a great answer from a security guru when his manager asked him to enforce password expiration: "Either your password is already compromised and you're in deep trouble anyhow, or it isn't. In that case, it means it's a great password that you should not change" :)
Show threadMelvin GundlachMay 15, 2023
@zorinlynx @johanvos Love this.
Show threadMrAptronymMay 15, 2023
@zorinlynx My company had a security bulletin a few months ago explaining why this is a bad policy. We still change our passwords every couple months.
Show threadPhil Stevens May 16, 2023
@zorinlynx The real tragedy here is that NIST (as well as other so-called security advisers) recommended credential expiration at all, without thinking through the implications. The damage has been done.
Show threadThomas BeagleMay 17, 2023
@zorinlynx Best new trick: "Your PIN must be 8 digits or more" and you just know everyone is going to use one of the few long numbers they know by heart - their own phone number.
Show threadpivotman319 🦊  May 17, 2023
@zorinlynx i seriously don't understand why self-expiring passwords were even a good idea in the first place