[kwlug-disc] Password change policy

doug moen doug at moens.org
Mon Jun 18 15:38:13 EDT 2018


These kinds of password change policies are bullshit. They impose an
impossible burden on employees. You can't expect the majority of employees
to construct and memorize a brand new, unique and highly secure password
every three months (or whatever). Most people's brains don't work that way.
Since it's an impossible burden, it forces employees to play cat and mouse
with IT, and find some way to manage the passwords without IT discovering
the method and finding a way to ban it. I created an algorithm for
generating an infinite sequence of passwords, and moved to the next
password in the sequence every three months. My sequence changed more than
one character for each password in the sequence, and IT did not manage to
detect and ban my algorithm. They were able to detect single character
changes.

I would suggest implementing two factor authentication, and giving
everybody a yubikey.

On 18 June 2018 at 14:52, Raymond Chen <raymondchen625 at gmail.com> wrote:

> Most organizations ask their users to change their passwords periodically,
> and also have some kind of mandatory password complexity requirement. One
> day when I talked about this with some colleagues, I found out quite a few
> of them used a strong password, but changed only one character, probably
> increase a number there, when asked to change it. Like from Ik0FmU>Hf to
> Ik1FmU>Hf to Ik2FmU>Hf
> I think this is compromising the security, like writing it down on a
> post-it on your monitor. But I can't think of a way to prevent this
> technically. We shouldn't store the clear-text password of course. And we
> should not find any clue on the similarity by just looking at the encrypted
> text if it's a good encryption algorithm. How do we know the user only
> changed one character?
> Maybe we can pre-calculate all the variations when user specifies a
> password and store the all the encrypted strings? But that's a waste of
> resources, right?
> And that might in fact push some users to using the post-it...
>
>
> Regards,
>
> Raymond
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180618/5fc9db5a/attachment.htm>


More information about the kwlug-disc mailing list