Wednesday, June 5, 2019

Microsoft: Mandatory password changes considered harmful

They're right, as I've said for a long long time.  The security industry has been moving in this direction for a few years, and now Microsoft seems to be throwing their weight behind this.  Their explanation makes tons of sense:
In last month’s blog post, Microsoft's Margosis wrote:
There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.
...
He added:
Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
Anything that gets users out of having to choose new passwords every 60 days is a big win for everyone's security - as long as password updates are required if you think that the password has been compromised.  Long passwords (more than 11 characters) that are easy to remember are best, like the passphrase that I posted about in the first link above (only longer than that one, which was posted back in the days of 8 character passwords).

Now that we're seeing some of the Big Boys taking this approach, maybe we'll see more sane password rules coming around.

4 comments:

Peter B said...

Is it better if your passphrase is one you make up yourself, rather than a sequence of words that has been published?

Borepatch said...

Peter, perhaps a little but only a little. If it's long (more than 11 characters) then it's strong enough to stand up to most attack. The exception is if it is a word that you find in the dictionary.

But ideally the phrase should be something that means something to you, and only you.

Jester said...

Working for the .gov as I so this would be welcomed. I have no less than 20 different passwords, all of them expire at different intervals 30-90 days and of course each on different timers due to starting the timer at different times. This is on top of an access card that is required with it's own password. Mind you with the access to sensitive information in the healthcare sector I get the precaution. However, stuff that has no bearing on sensitive information is getting cumbersome. It gets old exhausting catchphrases and changing them over to provide due diligence when you can't even access that part of the programs/websites with out the access card's password in the first place.

STxAR said...

I suffer from password-itus as well. 8 characters, numbers, letters, on capital letter at least. 90 days, can't duplicate the last 4 passwords... madness with the second authentication that has to be entered as well.... ugh, etc.