Password expiration with Password manager
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I have been seeing a shift in password policy, this has been going on for a while (Article from 2017) but I have only just picked up on this. In my organization we expire the user passwords every 90 days. When they set up their baseline, this was standard practice. But:
...In this day and age, changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization...
SANS.org.
Let's assume all of my users are professionals, they use a secure password/passphrase generator and manager for all their accounts, so there are no sticky notes with passwords or incremental password changes. Is there no benefit at all to replacing their current password/passphrase with a new randomly generated one every 90 days?
password-policy
asked 3 hours ago
BenoitBalliu1BenoitBalliu1
234
New contributor
BenoitBalliu1 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have been seeing a shift in password policy, this has been going on for a while (Article from 2017) but I have only just picked up on this. In my organization we expire the user passwords every 90 days. When they set up their baseline, this was standard practice. But:
...In this day and age, changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization...
SANS.org.
Let's assume all of my users are professionals, they use a secure password/passphrase generator and manager for all their accounts, so there are no sticky notes with passwords or incremental password changes. Is there no benefit at all to replacing their current password/passphrase with a new randomly generated one every 90 days?
password-policy
asked 3 hours ago
BenoitBalliu1BenoitBalliu1
234
New contributor
BenoitBalliu1 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have been seeing a shift in password policy, this has been going on for a while (Article from 2017) but I have only just picked up on this. In my organization we expire the user passwords every 90 days. When they set up their baseline, this was standard practice. But:
...In this day and age, changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization...
SANS.org.
Let's assume all of my users are professionals, they use a secure password/passphrase generator and manager for all their accounts, so there are no sticky notes with passwords or incremental password changes. Is there no benefit at all to replacing their current password/passphrase with a new randomly generated one every 90 days?
password-policy
asked 3 hours ago
BenoitBalliu1BenoitBalliu1
234
New contributor
BenoitBalliu1 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have been seeing a shift in password policy, this has been going on for a while (Article from 2017) but I have only just picked up on this. In my organization we expire the user passwords every 90 days. When they set up their baseline, this was standard practice. But:
...In this day and age, changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization...
SANS.org.
Let's assume all of my users are professionals, they use a secure password/passphrase generator and manager for all their accounts, so there are no sticky notes with passwords or incremental password changes. Is there no benefit at all to replacing their current password/passphrase with a new randomly generated one every 90 days?
password-policy
password-policy
asked 3 hours ago
BenoitBalliu1BenoitBalliu1
234
New contributor
BenoitBalliu1 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
BenoitBalliu1BenoitBalliu1
234
New contributor
BenoitBalliu1 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
BenoitBalliu1BenoitBalliu1
234
New contributor
BenoitBalliu1 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
BenoitBalliu1BenoitBalliu1
234
asked 3 hours ago
BenoitBalliu1BenoitBalliu1
234
234
New contributor
BenoitBalliu1 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
BenoitBalliu1 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
BenoitBalliu1 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.
If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way.
It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.
In the same time, this policy push the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy to mandates updating the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 wtarting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.
answered 1 hour ago
A. HerseanA. Hersean
5,26131123
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
BenoitBalliu1 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209195%2fpassword-expiration-with-password-manager%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.
If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way.
It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.
In the same time, this policy push the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy to mandates updating the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 wtarting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.
answered 1 hour ago
A. HerseanA. Hersean
5,26131123
add a comment |
90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.
If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way.
It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.
In the same time, this policy push the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy to mandates updating the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 wtarting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.
answered 1 hour ago
A. HerseanA. Hersean
5,26131123
add a comment |
90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.
If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way.
It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.
In the same time, this policy push the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy to mandates updating the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 wtarting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.
answered 1 hour ago
A. HerseanA. Hersean
5,26131123
90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.
If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way.
It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.
In the same time, this policy push the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy to mandates updating the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 wtarting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.
answered 1 hour ago
A. HerseanA. Hersean
5,26131123
edited 1 hour ago
answered 1 hour ago
A. HerseanA. Hersean
5,26131123
answered 1 hour ago
A. HerseanA. Hersean
5,26131123
answered 1 hour ago
A. HerseanA. Hersean
5,26131123
5,26131123
add a comment |
add a comment |
BenoitBalliu1 is a new contributor. Be nice, and check out our Code of Conduct.
BenoitBalliu1 is a new contributor. Be nice, and check out our Code of Conduct.
BenoitBalliu1 is a new contributor. Be nice, and check out our Code of Conduct.
BenoitBalliu1 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209195%2fpassword-expiration-with-password-manager%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
