Reply to post: I've been saying this for a decade

Stop resetting your passwords, says UK govt's spy network

DougS Silver badge

I've been saying this for a decade

This advice is from the 90s when password exploits were typically based on an attacker getting hold of the encrypted passwords and running crackers or rainbow tables against them. People weren't required to have good passwords back then so they were possible to crack.

Once you started seeing the uppercase/lowercase/number/punctuation type rules enforcing better passwords the return on investment for grabbing encrypted passwords was greatly diminished (at least for ones that protect real stuff, sites like El Reg that don't require good passwords could still have them trivially cracked, but there's no gain for anyone cracking Reg commentard passwords)

You can enforce some pretty nasty passwords if they know they are able to keep them forever, at least for several years instead of only 90 days. I've seen some places that required admin passwords be reset every THIRTY days. You are pretty much guaranteed that people will either write them down, cycle through a list of 'good' passwords they use at other places, or do something like HardPassword1234 HardPassword2345 etc. (I used the latter)

It will take another decade before this obsolete advice of frequent password resets gets removed from 'common wisdom' and checklists of generic security audits, unfortunately.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019