Sigh.
Just got told by a company internal app that it's time to change my password.
Can we please stop with the fake #security? My password is a long string of randomly generated characters. Nobody's going to guess it any time soon.
Timeline
Post
Remote status
Context
9
@argv_minus_one I still believe in password rotation on long intervals (1 year min). Passwords that get spread across multiple systems (e.g. LDAP, OIDC) get used and abused and shoved into god knows what by people and it contains the damage to some extent of a lost first factor which happens all the time.
@7666 @argv_minus_one 1 year is reasonable and I would go even lower to 6 months at max. That said, there are companies that force password changes every 2 months and sometimes even faster. At that point it misses the point completely, because much more employees will just stick some number at the end or capitalize one letter and be done with it.
Guessing isn't the issue. If the hash gets exposed in a breach, attackers can brute-force it at their leisure. Rotation helps ensure that by the time they crack it, it's no longer valid. Rotation policy should thererore be based on projected brute-force time per string length, not arbitrary human calendar dates. Set a short password? Well then you're changing it often, don't like it, remember a longer password 🤷♀️
Yes, and if they brute-force it at their leisure, they gain…access to the same system they've already breached.
You didn't think I was reusing passwords, did you? I'm not completely incompetent.
Actually, they don't even gain that, because I've been notified that there's been a breach and have already changed my password.
So exactly which threat is being mitigated by time-based password rotation?
@argv_minus_one @nicholas @7666
>You didn't think I was reusing passwords, did you? I'm not completely incompetent.
You aren't 70+% of people in <insert your workplace>.
>So exactly which threat is being mitigated by time-based password rotation?
Forgotten accounts, password reuse.
>You didn't think I was reusing passwords, did you? I'm not completely incompetent.
You aren't 70+% of people in <insert your workplace>.
>So exactly which threat is being mitigated by time-based password rotation?
Forgotten accounts, password reuse.
@argv_minus_one @nicholas @7666 I mean forgotten accounts as accounts of employees that have been fired or left and weren't deactivated for whatever reason. That gives the account and absolute deadline where it is still active.
>Why are people at your workplace reusing passwords
Almost everybody that isn't tech savvy does that and there's exactly 0 ways to stop them from doing it, because they will never learn. Or people are just careless. Best you can do is force a password manager on people and put some higher password requirement on the vault password and some second factor. But have fun implementing that with Karen in HR.
>Why are people at your workplace reusing passwords
Almost everybody that isn't tech savvy does that and there's exactly 0 ways to stop them from doing it, because they will never learn. Or people are just careless. Best you can do is force a password manager on people and put some higher password requirement on the vault password and some second factor. But have fun implementing that with Karen in HR.
@argv_minus_one @phnt @nicholas Not everything supports SSO responsibly (see: https://sso.tax), hardware tokens are notoriously difficult to integrate into existing systems such as on-prem AD which runs a ton of the world still, etc etc.
Your idealism is getting in the way of practicality. This statement would also smack you upside the head but is functionally correct: The right amount of security is just enough not to get hacked.
Your idealism is getting in the way of practicality. This statement would also smack you upside the head but is functionally correct: The right amount of security is just enough not to get hacked.
Replies
6Every organization bigger than a lemonade stand is under constant attack by billion-dollar crime gangs and nation-state intelligence agencies.
“Just enough not to get hacked” is a really high bar, we've got the weekly high-profile security-breach headlines to prove it, and all this security theater (password rotation, Zero Trust, etc) is, unsurprisingly, not working.
As for the SSO tax: if a vendor sleazes on you like that, then kick them to the curb and migrate to an alternative that won't. Preferably one that's FOSS and therefore *can't* do that to you.
If that means you have to do extra work? So be it. With the alternative being either sky-high fees or getting pwned, the extra work will pay for itself in short order.
If the alternative is FOSS but sucks? Pay somebody to work on it. Still cheaper in the long run.
@argv_minus_one @nicholas @phnt The issue is humans. It was always humans. Why have two factors if one factor is cryptographically perfect? Humans. Humans fuck up all the time. If the world was perfect you'd be right on all counts, but it's not, so stupid things happen all the time out of ignorance or malice or both. Whether or not you account for this and layer things properly will make or break you in InfoSec.
True, but increasing friction (with password rotation, MFA, etc) only encourages people to find workarounds to defeat the security measures instead of actually using them. That's why NIST recommends doing away with password rotation entirely.
Although I suppose that same problem also applies to my earlier suggestion of using FOSS alternatives…