Latest NIST guidance no longer recommends password rotation, except in the instance of a suspected system compromise. Regularly forcing users to update passwords leads to more insecure storage mechanisms and passwords as users just recycle new versions of old passwords.
NIST guidance no longer recommends password rotation
What’s the reasoning? Quantum computing will make brute force hacks significantly easier with less time, and rotating passwords “resets” the clock on these attacks.
Regularly forcing users to update passwords leads to more insecure storage mechanisms and passwords as users just recycle new versions of old passwords.
Users not using best practice isn’t a good enough reason to not recommend best practice. A password manager can handle password changes with ease (no need to reuse a password or insecurely store them), and coupled with 2FA, it’s just a solid plan.
But I would still be curious to know why password rotation is not recommended.
Password rotation leads to password reuse. If you can remember or type your password, it could be stronger. Randomly generated long passwords, different for every account, should be the bare minimum these days.
The above has been my password advice for quite a while now. Please correct me if it’s no longer considered best practice or if I’m missing something important.
Randomly generated long passwords, different for every account, should be the bare minimum these days.
Randomly generated phrases with separators, punctuation, and numbers, appear to be the strongest (and easier to type out if you are reading it off a password manager not on the same device). Just a random generated string is actually quite easy for a computer script to brute force, but so much of a pain in the ass for the user! LOL
Length is usually better than complexity!
For example, Bitwarden’s password strength test tool says this password would only take 3 years to crack (using today’s technology): s#y7s8a63@22
While this one would take centuries: this-is-way-stronger
Which one you would want to enter into your TV set when you have to log into a streaming video service? 😂
Sure you can blame the user for their failure, but your systems will be less secure because of all your users who are not doing what they are supposed to. So then you have to decide, do we punish these users for their bad password practices or do we implement different practices that are more likely to be followed.
Something you know isn’t the best method to verify identity anyways; as evidenced, it is easy for someone else to learn that information. Using something the user possesses is a much better choice as the user is more likely to be aware of a loss of the object and report the security incident.
So then you have to decide, do we punish these users for their bad password practices or do we implement different practices that are more likely to be followed.
In most areas, I would agree that the latter would be the best approach, with nuance*
However, in the security space, I would argue that you should implement practices based on the threat model, and the importance of the data being protected.
Should a user be rotating passwords on a website they use to check the weather? Probably not.
For a banking site? I would, and enable 2FA if it already isn’t. 2FA, I would also argue, is more of a PITA for users than picking a strong password via their password manager.
We already see harmful example of suggestions being offered, not because the facts support it, but because “it’s easier for the user to follow”.
For instance, health authorities tell people to get 150 minutes of activity per week, despite the clear evidence that more than that would be better for optimal health.
Why do they do this? Because suggesting the true amount of exercise needed causes an aversion… the opposite effect.
So, I can see how we might ask users to only do the bare minimum, or else risk complete noncompliance with best practices. But the reality is, it only takes a very minimal amount of effort to secure our data, so we should encourage users to actually follow best practices (as it relates to their threat model).
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.
When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password.
Well, there’s the problem. Why are people using memorized passwords? And why are they picking passwords that could be easily guessed?
Literally, the only password that one should memorize is for their password manager that has strong 2FA enabled.
This recommendation seems to cater to users who already have poor security habits, rather than offering best practices. That’s my opinion, anyway.
It depends. If your accounts are set up to auto-reject and ban people after X number of failed logins, then a strong password (even without 2fa) should be ok for most people.
But if the service allows for unlimited login attempts, having the same password for months or years gives more time to brute force guess it.
Even in a leak like this, even without anything more than a list of passwords, it could be a valuable collection for a “dictionary password attack”.
Lots of unknowns, but this was a “leak”, rather than a “hack”. Perhaps another article might shed more light into the details of the data, and in what form those passwords are in.
I hear that being said, but how? If Steam is following best practices of the last several decades, which I’m sure it does, it doesn’t have the passwords in usable form.
The seller claims this is a “fresh” leak and says it includes usernames, passwords, two-factor SMS logs, message contents, metadata, delivery status, and other sensitive details. SOURCE
Again, the panic smells rotten because Steam should not have a plaintext copy of your password, it should be hashed, and there’s just no way steam isn’t doing that.
“The seller claims this is a “fresh” leak and says it includes usernames, passwords, two-factor SMS logs, message contents, metadata, delivery status, and other sensitive details.” SOURCE
The title straight up asks you to change your password (and the article continues to make this suggestion eight more times). What other account details would possibly even be worth writing an article about?
You were absolutely not right about the article here suggesting passwords weren’t involved. You did not suggest that the whole situation the article was about was bullshit.
From what I understand, these passwords (and the accounts they are linked to) are in a usable form to whoever is buying the lists.
2FA protects you, but changing your password isn’t a bad idea (and should be done on a regular basis anyway).
Latest NIST guidance no longer recommends password rotation, except in the instance of a suspected system compromise. Regularly forcing users to update passwords leads to more insecure storage mechanisms and passwords as users just recycle new versions of old passwords.
What’s the reasoning? Quantum computing will make brute force hacks significantly easier with less time, and rotating passwords “resets” the clock on these attacks.
Users not using best practice isn’t a good enough reason to not recommend best practice. A password manager can handle password changes with ease (no need to reuse a password or insecurely store them), and coupled with 2FA, it’s just a solid plan.
But I would still be curious to know why password rotation is not recommended.
Password rotation leads to password reuse. If you can remember or type your password, it could be stronger. Randomly generated long passwords, different for every account, should be the bare minimum these days.
The above has been my password advice for quite a while now. Please correct me if it’s no longer considered best practice or if I’m missing something important.
That’s a user problem, though.
Randomly generated phrases with separators, punctuation, and numbers, appear to be the strongest (and easier to type out if you are reading it off a password manager not on the same device). Just a random generated string is actually quite easy for a computer script to brute force, but so much of a pain in the ass for the user! LOL
Length is usually better than complexity!
For example, Bitwarden’s password strength test tool says this password would only take 3 years to crack (using today’s technology): s#y7s8a63@22
While this one would take centuries: this-is-way-stronger
Which one you would want to enter into your TV set when you have to log into a streaming video service? 😂
Sure you can blame the user for their failure, but your systems will be less secure because of all your users who are not doing what they are supposed to. So then you have to decide, do we punish these users for their bad password practices or do we implement different practices that are more likely to be followed.
Something you know isn’t the best method to verify identity anyways; as evidenced, it is easy for someone else to learn that information. Using something the user possesses is a much better choice as the user is more likely to be aware of a loss of the object and report the security incident.
In most areas, I would agree that the latter would be the best approach, with nuance*
However, in the security space, I would argue that you should implement practices based on the threat model, and the importance of the data being protected.
Should a user be rotating passwords on a website they use to check the weather? Probably not.
For a banking site? I would, and enable 2FA if it already isn’t. 2FA, I would also argue, is more of a PITA for users than picking a strong password via their password manager.
For instance, health authorities tell people to get 150 minutes of activity per week, despite the clear evidence that more than that would be better for optimal health.
Why do they do this? Because suggesting the true amount of exercise needed causes an aversion… the opposite effect.
So, I can see how we might ask users to only do the bare minimum, or else risk complete noncompliance with best practices. But the reality is, it only takes a very minimal amount of effort to secure our data, so we should encourage users to actually follow best practices (as it relates to their threat model).
On mobile so forgive any formatting, but the text below is quoted from the NIST faq. https://pages.nist.gov/800-63-FAQ/#q-b03
Q-B05:
Is password expiration no longer recommended?
A-B05:
SP 800-63B Section 5.1.1.2 paragraph 9 states:
Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.
Well, there’s the problem. Why are people using memorized passwords? And why are they picking passwords that could be easily guessed?
Literally, the only password that one should memorize is for their password manager that has strong 2FA enabled.
This recommendation seems to cater to users who already have poor security habits, rather than offering best practices. That’s my opinion, anyway.
edit: spelling
Is changing passwords on a regular basis actually better or just a feeling?
It depends. If your accounts are set up to auto-reject and ban people after X number of failed logins, then a strong password (even without 2fa) should be ok for most people.
But if the service allows for unlimited login attempts, having the same password for months or years gives more time to brute force guess it.
Even in a leak like this, even without anything more than a list of passwords, it could be a valuable collection for a “dictionary password attack”.
But why would the passwords be available unhashed?
Lots of unknowns, but this was a “leak”, rather than a “hack”. Perhaps another article might shed more light into the details of the data, and in what form those passwords are in.
I hear that being said, but how? If Steam is following best practices of the last several decades, which I’m sure it does, it doesn’t have the passwords in usable form.
The problem is, this “leak” did not come from Steam’s mishandling of data, but the third-party used to processes 2FA authentication.
Who shouldn’t be within a thousand feet of passwords.
Way more than just passwords, apparently.
And here’s an article saying otherwise.
https://www.vg247.com/steam-vendor-data-breach-passwords-89-million-users-dark-web
Again, the panic smells rotten because Steam should not have a plaintext copy of your password, it should be hashed, and there’s just no way steam isn’t doing that.
That’s a promising update! Thank you for posting.
Funny how even the URL of that article suggests that passwords were breached. LOL
nothing in either the news post nor the linked tweet suggest that passwords are even involved
The title straight up asks you to change your password (and the article continues to make this suggestion eight more times). What other account details would possibly even be worth writing an article about?
would you look at that, I was right
https://steamcommunity.com/games/593110/announcements/detail/533224478739530146
You were absolutely not right about the article here suggesting passwords weren’t involved. You did not suggest that the whole situation the article was about was bullshit.
the article suggested to change your passwords, but didn’t say that passwords were involved. That’s very different