this post was submitted on 20 Aug 2024
600 points (98.9% liked)

Cybersecurity - Memes

1964 readers
2 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
600
submitted 2 months ago* (last edited 2 months ago) by [email protected] to c/cybersecuritymemes
 

This practice is not recommended anymore, yet still found in many enterprises.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 10 points 2 months ago* (last edited 2 months ago) (2 children)

Never is too long.

Why? Frequent password changes have been shown to result in weaker passwords. What's wrong with keeping a strong one indefinitely? I mean an actual strong one not one character more than what's currently bruteforceable.

[–] esc27 2 points 2 months ago

Overtime people will slip up and leak their passwords. Maybe they accidentally log in with it in the username field (causing it to get logged), leave it on a forgotten postit note, share it with a spouse, used it for a 3rd party service, wore a pattern into their keyboard, etc. None of those are that big of a deal or all that common, but added up with enough time and people and the risk accumulates. A infrequent but regular password reset helps to mitigate that risk.

Regular password resets can also help to prevent password reuse. Suppose someone uses their work password for netflix, then work requires a password change. How likely are they to manually sync the netflix password back to match the one they use for work?

Of course there are much better ways to mitigate risk. E.g. multifactor authentication. But a major security principal is defense in depth, and I think reasonably infrequent (e.g. no more than once per year) password resets have a place in that.

This goes for physical keys as well. If it is your house and you are certain no one untrustworthy has your key, then fine. But for a larger org with multiple people and turnover. Sooner or later keys will get lost, misplaced, etc. Rekeying the locks (maybe every 5 years, maybe every 25 years) has merit.

[–] [email protected] -1 points 2 months ago (1 children)

Forever is vulnerable to phishing attacks, same reason why monthly is getting discouraged. Monthly is weaker because the average person does slight variation, which attackers LOVE.

[–] [email protected] 3 points 2 months ago

Frequent password changes don't protect against phishing.

And while a high frequency like monthly changes will probably result in even weaker passwords, also yearly changes will make people choose weak passwords.