Reply to post: Re: Rules and Password Timeouts

'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows

adam 40

Re: Rules and Password Timeouts

Ha ha - ten passwords where you can't reuse parts of the password?

Let me see - i recon I could go round the loop and use up 9 passwords in such a way that a tenth password would be impossible.

Then make the IT guys reset the whole thing - social engineering, job done.

In the case above an undetected access would go undetected for 6 whole months - so why not age the password once a week? Or once a day? Surely, 6 months is an intolerable amount of time to let your attacker in unfettered?

One other thing that I haven't seen mentioned above - apologies if I missed it - every login system should tell you when you last logged in as a matter of course. That helps the end user spot intrusions and then they can help the process by changing their password. Most do not do this, notable exceptions being HMRC (wow - they do one thing right!) although they too use the easily hackable SMS method of 2FA.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019