I have approximately 12 different passwords to remember for work, all with separate requirements, the longest of which lasts 3 months. I work in a kitchen. Is someone going to steal my password in order to…monitor the temperature and humidity of our dry storage? Unlikely. Sometimes, password requirements and constant changing, while a “best practice,” leads to a larger headache than the actual risk.
Don’t believe anyone who says constant changing of passwords is “best practice,” it’s not. The constant changing typically leads to less secure passwords and practices by end users.
Constant password expiration was/is an attempt to get users to rotate passwords after they themselves have disclosed/otherwise compromised their sign on information or abandoned/orphaned their account. It’s a drag net. A stupid one. But ironically if it was enforced on all active accounts, it’s a drag net that would’ve even saved Microsoft from compromise by the Russians. So it does have it’s uses in some regard, but to be honest it seems like the state of all security and authentication mechanisms is currently in between 💩 and 🗑️🔥 as far as design and intuition goes. Why I need a password manager for 1000+ accounts instead of being able to generate/sign my own cryptographic authentication tickets in an intuitive way is beyond me. Passkeys is getting there, but having used them, I can still definitively say the implementation is unintuitive trash.
(https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ )
I have approximately 12 different passwords to remember for work, all with separate requirements, the longest of which lasts 3 months. I work in a kitchen. Is someone going to steal my password in order to…monitor the temperature and humidity of our dry storage? Unlikely. Sometimes, password requirements and constant changing, while a “best practice,” leads to a larger headache than the actual risk.
Don’t believe anyone who says constant changing of passwords is “best practice,” it’s not. The constant changing typically leads to less secure passwords and practices by end users.
Constant password expiration was/is an attempt to get users to rotate passwords after they themselves have disclosed/otherwise compromised their sign on information or abandoned/orphaned their account. It’s a drag net. A stupid one. But ironically if it was enforced on all active accounts, it’s a drag net that would’ve even saved Microsoft from compromise by the Russians. So it does have it’s uses in some regard, but to be honest it seems like the state of all security and authentication mechanisms is currently in between 💩 and 🗑️🔥 as far as design and intuition goes. Why I need a password manager for 1000+ accounts instead of being able to generate/sign my own cryptographic authentication tickets in an intuitive way is beyond me. Passkeys is getting there, but having used them, I can still definitively say the implementation is unintuitive trash. (https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ )
It’s discouraged by NIST now too. Basically the only requirement is that you have some sort of policy in place.