Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
June 3, 2019 10:59 pm PDT

It's time to stop asking users for periodic password changes

Image: Santeri Viinamki [CC BY-SA 4.0], via Wikimedia Commons

Ars Technica outlines the case for a policy that might sound counter-intuitive at first: not forcing password rotation.

Microsoft is the latest enterprise to get on board with this idea, calling the concept of monthly/bimonthly/quarterly password changes "ancient and obsolete".

To this day, password management remains the least-loved aspect of my job as a SysAdmin. In a world of password managers two-factor authentication, and complex "suggested passwords" by browsers, asking users to change passwords frequently is the one task that virtually guarantees a support request. Why? The password is used on multiple devices, or the forced change came at a time where the user had to write it down, or other inconvenience that, in practice, seems only to complicate the security process, rather than actually improve it in any meaningful way.

The same researchers have warned that mandating password changes every 30, 60, or 90 daysor any other periodcan be harmful for a host of reasons. Chief among them, the requirements encourage end users to choose weaker passwords than they otherwise would. A password that had been P@$$w0rd1 becomes P@$$w0rd2 and so on. At the same time, the mandatory changes provide little security benefit, since passwords should be changed immediately in the event of a real breach rather than after a set amount of time prescribed by a policy.

Besides, as Cory has mentioned, two-factor authentication and security keys are quickly showing us how much of a "game-changer" these tools can really be, offering real defence against both past and present security attacks. Read the rest


Original Link: http://feeds.boingboing.net/~r/boingboing/iBag/~3/LbtdxhVZtjA/its-time-to-stop-asking-user.html

Share this article:    Share on Facebook
View Full Article