Dennis Schubert

German "Internet" experts in a nutshell: InterNetX, one of the biggest domain registrars, part of United Internet (the enterprise also owning 1und1) has now introduced their latest "security enhancement":

Automatically expiring passwords.

Almost a decade after the internet world agreed that those are an impressively stupid idea.

I'm so incredibly tired.

Jun 6 at 9:16pmWeb
Show threadTuxicomanJun 6
@denschub what is stupid? Password/token or secret/token expiration ?
Show threadDennis SchubertJun 6

@tuxicoman automatically expiring passwords.

NIST realized that in 2016. Even the BSI realized how stupid that is and started recommending against that policy in 2020. And now, 5 years after the BSI said "hey let's stop doing that", the "experts" at InterNetX decided to start doing that.

Passwörter: BSI verabschiedet sich vom präventiven, regelmäßigen Passwort-Wechsel

Der 1.Februar 2020 war hoffentlich der letzte "Ändere dein Passwort"-Tag.

heise online
Show threadTuxicomanJun 6

@denschub

I agree it's painful (break workflow) and not efficient if people use a pattern.

What is the current recommended pattern?
I use otp with a device.

Show threadDennis SchubertJun 6

@tuxicoman the current "recommended pattern" is not to let passwords expire automatically and not to force users to "regularly" change passwords.

That stands all on its own, it's completely irrelevant to any 2fa discussion. The current 2fa recommendation can be found in this German PDF (which I do not agree with, but that's besides the point).

Show threadTuxicomanJun 6
@denschub ok thanks.
Show threadαxel simon ↙︎↙︎↙︎5d ago

@denschub A digital hug if you want one.

InfoSec is an area where you often wonder who are these other people making up and enforcing these stupid rules, where do they come from and how did they reach such stupid conclusions…