Microsoft: Yo dawg, we heard you liked Windows password expiry policies. So we expired your expiry policy Microsoft has finally decided to get rid of password expiration policies in Windows because forcing people to reset their passwords periodically harms security. Word arrived from Redmond via Wednesday's draft release of the security configuration baseline settings for Windows 10 version 1903. The release, available as a zipped …
Microsoft's mobile offering is assuredly dead, but Blackberry is too. Just because someone's making android phones and calling them Blackberry doesn't mean the system survives. The QNX-based OS is dead, the Blackberry company isn't making those devices fully, and they're just a different hardware type running android.
I installed an early Novell 2 system for our local head of finance. He insisted that each user had a long password changed every 40 days (It was Novell, hence the Biblical 40 days). His staff wrote their passwords on (the new fangled) PostIt notes and stuck them to the front of their 5150 PCs. I had a quiet word with a couple of the senior staff and suggested that this was not a good security practice, only to be told that staff members often logged in as each other (some had higher levels of access than others).
After our little chat where I told them not to do this, I pretended that I did not know that they started putting the PostIt under their keyboards "In case we forgot, so that we did not have to get our passwords reset by the local admin".
At a certain three-lettered formerly-hi-tech company, we had a test lab with old desktops set up for running test scripts. They weren't connecting to anything critical, so the password was the machine serial number. Conveniently available as a tag on the front of the machine.
... And since you'll never remember the ever-changing passwords, right them down on a small slip of paper and tuck it under your keyboard.
Just use the Romaji versions of anime titles. You can do the letter-to-number substitution, and if the Romaji has "no" or "ku" in it, you can substitute them with "@" or "<" respectively.
Unfortunately anyone who needs to be PCI DSS compliant still has to reset their passwords every 90 days.
The actual requirement is only for those with access to cardholder data or system login accounts but security policies tend to be implemented as a broad brush "just in case", just like local admin rights
...Unless you force users to change them every now and then. And most places don't monitor for unusual access, so that compromise will continue for as long as the attacker likes.
Make people change them every now and then, 3-6 months sounds fair.
Unless you've implemented MFA. Then ignore the above, assuming it's a requirement on every system.
Most businesses don't implement MFA - they implement SFA and place the entire burden of authentication security on the end user - the person least equipped to bear that burden.
I once mapped the responsibilities matrix for the entire regime of password-based authentication security for a client, and it showed that at least two IT or process management functions had to collaborate with each other or the end user to counter each threat.
If your computer has been compromised due to the password being cracked/discovered, do you really think the bad guys continue using it to access your machine? Like hackers currently lose access to a load of machines each day when they hit the password reset threshold, and they have to start all over again? No, they'll have used the access to mess with your setup, and changing the password won't impact their access one bit.
I think it’s NIST. The most recent recommendations from them regarding passwords is that you don’t make people change periodically just because.
This actually is an admission that it doesn’t work. Hands up everyone when forced to change a password just cycles through the required digit. Or the embedded day or month name. Or swap the first and second halves.
If — and it’s a big if — it’s a password you never have to type then just generating a new random 16 character password is Easy enough. But a completely random password of that length isn’t going to be brute forced any time soon so why bother?
Yes, this is still lost on $employer who thinks it is a good idea to make me change a password every 30 days.
It gets worse when you have about a dozen systems with no password synchronisation and differing expiry periods for the passwords (no, I'm not kidding sadly). My previous scheme for this was indeed to "cycle the digits" with a post-it reminding me which current digit it was for each system. Of course, the rest of the password was not written down anywhere, but it does illustrate the point thay having regularly expiring passwords will mean either that people write them down, or if a hacker obtains one that doesn't work, he just has to keep incrementing the digits until he gets to "this month's" version of that password...
It gets worse when you have about a dozen systems with no password synchronisation and differing expiry periods for the passwords (no, I'm not kidding sadly).
Been there and done that as just an ordinary user (OK, AS/400 programmer, still an ordinary user on the Windows network). I needed passwords for at least five different systems, when one expired, I replaced them all with the same new password.
when one expired, I replaced them all with the same new password
I have worked at places where that would take around half a day... Every month... And that was just for one system for which we had several accounts, they had no password synchronisation, and they all seemed to have different password expiry policies and complexity requirements.
I ended up just using reset password every time I needed to log on to those systems. It was less hassle than trying to keep up with them all.
Each of my passwords is n1 random non-repeated consonants and n2 numerals. And if that isn't enough then ! at the end, which I tell you freely as you'll never guess the rest except by exhausting all combinations. And where I have them tattooed is a secret as well. I set a new unrelated random password whenever one expires
...except for my password for The Register, which I just can't be bothered about. vulturefan it is. (not.)
Did the same thing at one of my previous employers. Had a post-it note with crib sheet of application -> suffix number.
Funniest thing though is that there was only of their systems that was configured to prevent my little scheme from working and that insisted I pick a different password each time. It was the employee training portal.
This actually is an admission that it doesn’t work. Hands up everyone when forced to change a password just cycles through the required digit. Or the embedded day or month name. Or swap the first and second halves.
Or you could type a pattern on the keyboard. When password change time arrives, just shift over one key on the keyboard.
Of course, I've seen a password checker that even checks for that. Was pretty much impossible to find more than two passwords in sequence that checker would accept.
You can usually find a big book that nobody cares about in any workplace. A place I worked at a few years ago had a multi-volume set of instructions on administering Windows Server 2000, and as this was a software engineering area with few admins, nobody really knew why they were there. I have a feeling a convenient book code can be found when needed.
Yup. Worked on a project to allow any number of arbitrary sequences to be blacklisted -- not just "qwerty" but "1qaz2wsx" and all the permutations along and across a standard 102 key keyboard.
When I pointed out to the PM that the two customers who were insisting on this change operated in dozens territories that used different keyboard layouts he nearly cried. #funtimes
Password change requirements have been removed from NIST's recently-released guidelines. They also address complexity requirements and even suggest checking passwords against lists of commonly-used passwords.
You can see an summary of the changes here.
The best password would be a random generated one of 9 characters
For the AS/400 I once wrote a password generator, which generated a ten character password and emailed it to the user. Not even the operator using the password reset utility knew the new password.
The best password would be a random generated one of 9 characters
Too short, if any verifiers generated from it use weak algorithms. An LM Hash or unsalted MD5 hash - both of which are still in use, and may be exposed to an attacker - of 9 alphanumerics, or even 9 ASCII graphic characters, is breakable at relatively low cost using contemporary technology.
A 2015 estimate for MD5 hashing using a single GPU would put it at about a year on average to break an MD5 hash of 9 characters selected from the 94 ASCII graphics. These days it would be much faster, and an attacker would probably just run such hashes through a farm of cloud VMs using stolen accounts anyway.
A sufficiently-random passphrase of reasonable is likely to have more entropy than a short password and be easier to remember. To generate a phrase we have the XKCD method, the random-headline method (pick a random set of words and arrange them into a phrase that sounds like a newspaper headline), the chimera-quotation method (combine quotations from two or more sources into a new phrase) ...
Pro tip: The phrase "the best password would be" is nearly always followed by a description of a sub-optimal password-generation scheme. And in any case, it's not meaningful to make claims about "best" passwords without explaining what your criteria are.
IIRC, the first paper about the (negative) effects of frequent mandatory password changes came out in the 80s or 90s. Did the 2010 folks do their research in a library? Probably not, because who the heck looks at paper anymore...
Meanwhile, upon being borged by a major networking company I attended a mandatory security training session, moderated by the head of corporate security. After the session I chatted with him for a while and mentioned the password expiry issues, and how long they had been known. His answer shocked me: "I know, but it's not my call". In case you missed that, the head of corporate security could apparently be over-ruled on security policy. By whom? Marketing? HR? Catering?
Of course the whole company was a pack (gang? confusion?) of weasels (apologies to mustelidae everywhere) and I left as soon as my retention bonus vested.
Yeah, doesn't effect GPO policies etc you've created, just the default behaviour in a standalone copy of Windows.
Great news, especially since Windows 10 makes simply getting to the "Password never expires" option such a pain in the arse I've resorted to doing it via a command line using wmic rather than hunt for where it's been moved/hidden in each interation of 10.
So, its only taken them 20 years to stop listening to idiotic "security experts" telling us we need a password that is changed at least every 60 days, is between 8 and 128 characters long, uses at least 3 of the following types of characters: (a) uppercase letters, (b) lowercase letters, (c) numbers, and/or (d) special characters and must be unique and cannot be re-used.
What next? re-release Windows 7? an O/S that people want to use?
Microsoft and a majority of the rest of the IT industry. I'm tired of having silly password policies forced on me by countless web sites and companies, not to mention poorly implemented explanations as to why my chosen password does not fit their criteria leaving me to try randomly and endlessly until one works. I hope they all follow Microsoft, and soon.
So, its only taken them 20 years to stop listening to idiotic "security experts" telling us we need a password that is changed at least every 60 days, is between 8 and 128 characters long, uses at least 3 of the following types of characters: (a) uppercase letters, (b) lowercase letters, (c) numbers, and/or (d) special characters and must be unique and cannot be re-used.
Yeah because we all know that if those policies were not enforced, whinging twats like you would just keep using '1234' everywhere, and then complain when you get hacked.
"Microsoft cites recent research that casts doubt on the efficacy of password expiration policies"
Actually there's been plenty of research for at least the last 20 years that makes the point about regular (medium period) password changes being counter-productive, and it's also self-evident to anyone with their eyes open and their brain engaged. So not only "listening to idiotic &c." but not taking note of genuine expert research for all this time and not using common sense.
This is just one more indication that the majority of infosec practice has for ages been, and is still, driven by thought substitute mantras, because the training does not include how to think for oneself from first principles, but only the ability remember and regurgitate "stuff".
and it's also self-evident to anyone with their eyes open and their brain engaged.
Obviously most of you have never considered network security in any detail.
If someone, a legitimate user on a network, has their credentials either stolen or successfully hacked, then as long as the malicious actor doesn't do something overtly stupid, they can use those credentials with impunity to extract data or otherwise compromise the network.
There is no effective way to detect that the individual logging in with those credentials is malicious.
The only defence that works is to limit the time that those stolen credentials will be usable, and you do that by adopting a policy of password changes allied with complexity requirements that disallow just changing a number or letter of the password.
Thanks for the broad insult to everyone here. Let me enlighten you on a bit of user behavior.
Here's how passwords usually go when the security policy you mention is instated. Minimum 10 characters, at least one number, both cases, and a symbol. Password changes every month and the algorithm checks against old passwords so you can't duplicate and thoroughly checks against the last one so you can't just change it slightly.
New employee: Uses password anC9@mlzcQ)AX;1mbz
One month in: Changes password to fjZv83na.1/f8a
Two months in: Changes to E8zvhan3oz&
Three months in: Changes to Fnoazlh92*
Four months in: Changes to Thisisthe12thsystemI'vehadtochangethison!
Five months in: Changes to: Gottiredtyping2$
Six months in: Changes to Authenticate0^
Changing passwords can be useful, but forcing people to change them so frequently means that many will degrade the entropy of their password because why bother memorizing a long string of random characters when the information will be useless in a month? It will become obsolete faster for an attacker, but the attacker can gain access to systems and install back doors that do not need a password, so expiring credentials doesn't always help. Meanwhile, users use less random passwords that can be broken more easily, meaning you have a higher likelihood of getting an attacker. Also, the users are less happy.
A few years ago I was working in Ireland and had to have a local bank account while I was there. The bank I chose had online banking but I was having trouble with the password which had to be 6 to 8 characters, all letters. It turns out my problem was because not only did they have to be letters, they also had to be lowercase letters.
A system I was using the other day gave a long list of special characters that could be used in a password (you know the numbered list of things that just about guarantees you all end up being onlyable to enter the same password). On close inspection as to why it did not like the passwords I tried was that it seemed only $ was missing from the list (but may % as well)
well why didn't you do that from the start?
Oh yes, because it'll have been one of those systems that has lots of requirements for your password such as letters AND a number, or at least one upper case, but doesn't tell you that beforehand and instead waits until you get the first attempt wrong and then points out only one mistake!
Numbers have less entropy than letters (10 vs 26 or 52 possibilities). So systems insisting on a number are LESS secure than those that can be any combination.
(Yes, you should use both letters and numbers in your password. Requiring that some characters are chosen from a smaller set is not the way to do that).
Maybe, but if an attacker has no idea how many digits you use a number for, any more than one digit would increase entropy, wouldn't it? You would have at least one alpha, one numeric - somewhere in the password, but all others could be alphanumeric.
Without requiring at least one numeric, you would allow alpha only passwords, which would have less entropy than one that has to be even slightly alphanumeric.
The only thing more annoying than password complexity rules that requirre at least 1 capital, one number and one punctuation, is when they have those rules but don't tell you until AFTER you've made up a password, entered it twice, saved it to your password manager and THEN had it rejected.
Fucking tosser UI programmers.
Yeah, hate it when those rules aren't clearly stated from the start, and even worse when you have to guess them step by step ("hey, your password is too long!", "OK, now you're missing a special char", "Actually, % is not allowed as a special char, try again", "Good, can you add an uppercase letter, dear?").
Good thing about password managers is that you can store this rules for the next mandatory reset, although by Murphy's law they will have changed by that time.
I've had ones that don't tell you the maximum length, so you generate a 30-char random password using a password managed and store it. Website accepts it whilst creating a user profile and lets you in. The next time you try and log in it fails. Turns out after much forum digging that max length is 16. Create user screen had just truncated it and let you in but logon screen doesn't truncate and flags a mismatch. Doh! Had that more than once.
They generally don't crack passwords from hashes, that takes a long time. They hash the password they're testing* and compare that hash with the one for your password. If the hashes match they know what your password is. So even if the hash for MyPassword123 is completely different to the one for MyPassword456, if the hacker already has the hashes for each interation of MyPasswordnnn it'll take no time for them to find it. Or, if they know your old password was MyRe@lly10ngP@55w0rdRocks1 it doesn't take Einstein to try hashing MyRe@lly10ngP@55w0rdRocks2 and seeing if that matches the new one.
* or more likely have a pre-prepared collection of hashes to run comparisons from
The point is that the attacker would need to take an additional action to generate the correct password, disrupting the process. Significant if the attacker has purchased the passwords / hashes and therefore would need to go back to point of extraction. Changing one character anywhere in the password would not be as easy to guess.
"our crypto experts" - I thought all these became surplus to requirements, I know the bitlocker team are all ex-microsoft.
killing Password expiry is only ok if you monitor logon patterns for risky behaviour and force changes when it occurs.
Length trumps complexity, i was going to try enforcing 14 character minimum and no complexity, with a common word component filter.
26^14 > 95^8 and the common 8 char patterns no longer apply
complex passwords are easy for machines to guess and hard for humans to remember.
Some favour composing a short sentence to remember, and setting that as password.
I generate random letters, preferably consonants, and numbers, and then compose a sentence to remember most or all of the password.
For instance: Tfrydl50 - "Thanks for yodeling" (not real, generated as demonstration) and after a couple of repeats the numbers come up in my mind with the letters, and I don't have to look at the written copy hidden in my xxxxxx xxx xxx xxx xxxxxxx, which is awkward in the office environment.
The drawback of actual words is that one letter = one random bit approximately. My letters are fewer but randomer.
Consonants mean I generally don't run into a word filter, as if a password would be rejected because Mwsfukgst contains a three-letter rude word.
"Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value," said Margosis.
For our company "information security officer", these are words of Satan himself.
He swears by the concept of regular password changes. He would force you to change your personal debit/credit card PIN number if he could somehow vaguely relate it to compromising the company security.
Yes, everyone in the company hates him. Not because of the job he does but because he is generally a nasty person all together.
Maybe he pretends to be Nasty so that you remember what he says. Normally being nasty is the only way any one takes anything seriously (until the business is on its knees then everyone want to know what the security officer has to say). Security Pro's do not expect to be liked but are expected to secure the business.
-- being nasty is the only way any one takes anything seriously --
Or you could try the approach of the IT manager at one place I worked. He was generally quite polite, but did have a concealed carry license and the .45 automatic pistol it applied to. And we all knew it. (also drove a Dodge Viper and wore cowboy boots, non-ironically). I later heard he went to work for MSFT.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
