Password expirations are bad practice and counter-intuitive to what the ultimate goal is. If you have a long, complex, unique password for a system that is not used anywhere else and is stored in a secure password manager that has not been compromised, changing that password is worse than meaningless, it’s actively harmful. No one in the IT or Security field should be advocating for password expirations at this stage of the game. Unfortunately everyone is forced into the practice to comply with PCI regulations that have not kept up with changes in security.
I would say that password expiration and password rotation are not exactly the same thing. I think expiration has it’s place when pair with login time. Such as, if a user does not log in for X amount of days - begin a timer to expire the password. But rotational password changes harm the overall security posture of the concept of password security.
But, I agree with what @LittlePrimate@feddit.de said below, I don’t think I see how the changing of a password within a password manager would fall under the harmful category. Most managers have a system to actually expedite and simplify the password change process. I don’t think this needs to be used regularly but if you suspect that your account might be included in a breach or some other indication of compromise, then hit that “change me” button.
I would argue that the article’s stance on the “password manager, MFA, login” dance is the more harmful perspective. The MFA process has been significantly simplified and integrated into most login functions. We’re at least beyond the dongle number generator stage of consumer MFA. The combination of MFA and password managers is the primary and most accessible solution to today’s password woes.
My argument for it being worse than useless and actively harmful is changing a password needlessly does open the possibility of it being scraped, observed, or otherwise compromised during the password change process. It’s wildly over-cautionary on my part to make that claim, but wild speculation tends to be the name of the game.
If you’re changing passwords, there is a period in time when that password is in plain text or completely visible in some form. If there’s a camera, if someone is secretly watching, if it’s somehow observed even remotely via screen recording or logging, that password during the process of it being changed is now compromised in a way that wouldn’t have happened if someone’s password manager was simply auto-filling the password in. Of course, there are much worse issues going on if this is a real concern but, again, security tends to be about finding the wildest and outlandish things that could be compromising and nipping them before they can be exploited.
Arguably even typing your password with someone around can be compromising. I work in IT, and I can’t even count the number of times I’ve worked with an end user and frustratingly observed them chicken peck a password that, if I was malicious, I could make an educated guess and probably get in before the lockout is concerning.
I’ve guessed more than one phone passcode from end users requesting help just by seeing where their thumb moved when unlocking it. I wouldn’t tell them that, but it’s pretty easy to guess when someones password is 1972 when they hit all of the corners on their screen. At this stage of the game passwords themselves are a vulnerability. In comparison, cracking faceID or a thumb print is WAY harder and requires way more preplanning.
I’d say for a secure password in a manager, it’s not really harmful.
Someone who uses a manager and secure passwords will usually be aware of the “generate me a new unique, secure password” feature, so they will generate a new one and simply paste that into the page. They might be inclined to just add the bad practice “-01” although it honestly doesn’t make a unique, secure password worse unless the unencrypted password was somehow leaked. The delay in emergency situations mentioned in the post might still happen, although the harm there will depend on the exact situation and likely usually fall into the “annoying delay” category.
I absolutely agree that forced password changes need to die simply because a majority of users still tries to remember passwords and is therefore prone to bad practices, but for someone with a password manager and unique passwords it’s more unnecessary and annoying than actively harmful.
I used to have a friend’s password somewhere that used rotation and I’d just have to do a quick bit of maths to figure out the final number. Surely there are bots that are smart enough to automate this: mysuperstrongpass01 -> mysuperstrongpass02, mysuperstrongpass03 etc. [edit: the article alludes to this, but then I most of our comments here and on the link are not very original either!]
Password reuse is probably the worst security flaw nowadays, and a strong but reused password is basically no better than classics like password1 after a depressingly small amount of time/services.
Password expirations are bad practice and counter-intuitive to what the ultimate goal is. If you have a long, complex, unique password for a system that is not used anywhere else and is stored in a secure password manager that has not been compromised, changing that password is worse than meaningless, it’s actively harmful. No one in the IT or Security field should be advocating for password expirations at this stage of the game. Unfortunately everyone is forced into the practice to comply with PCI regulations that have not kept up with changes in security.
I would say that password expiration and password rotation are not exactly the same thing. I think expiration has it’s place when pair with login time. Such as, if a user does not log in for X amount of days - begin a timer to expire the password. But rotational password changes harm the overall security posture of the concept of password security.
But, I agree with what @LittlePrimate@feddit.de said below, I don’t think I see how the changing of a password within a password manager would fall under the harmful category. Most managers have a system to actually expedite and simplify the password change process. I don’t think this needs to be used regularly but if you suspect that your account might be included in a breach or some other indication of compromise, then hit that “change me” button.
I would argue that the article’s stance on the “password manager, MFA, login” dance is the more harmful perspective. The MFA process has been significantly simplified and integrated into most login functions. We’re at least beyond the dongle number generator stage of consumer MFA. The combination of MFA and password managers is the primary and most accessible solution to today’s password woes.
My argument for it being worse than useless and actively harmful is changing a password needlessly does open the possibility of it being scraped, observed, or otherwise compromised during the password change process. It’s wildly over-cautionary on my part to make that claim, but wild speculation tends to be the name of the game.
If you’re changing passwords, there is a period in time when that password is in plain text or completely visible in some form. If there’s a camera, if someone is secretly watching, if it’s somehow observed even remotely via screen recording or logging, that password during the process of it being changed is now compromised in a way that wouldn’t have happened if someone’s password manager was simply auto-filling the password in. Of course, there are much worse issues going on if this is a real concern but, again, security tends to be about finding the wildest and outlandish things that could be compromising and nipping them before they can be exploited.
Arguably even typing your password with someone around can be compromising. I work in IT, and I can’t even count the number of times I’ve worked with an end user and frustratingly observed them chicken peck a password that, if I was malicious, I could make an educated guess and probably get in before the lockout is concerning.
I’ve guessed more than one phone passcode from end users requesting help just by seeing where their thumb moved when unlocking it. I wouldn’t tell them that, but it’s pretty easy to guess when someones password is 1972 when they hit all of the corners on their screen. At this stage of the game passwords themselves are a vulnerability. In comparison, cracking faceID or a thumb print is WAY harder and requires way more preplanning.
I’d say for a secure password in a manager, it’s not really harmful.
Someone who uses a manager and secure passwords will usually be aware of the “generate me a new unique, secure password” feature, so they will generate a new one and simply paste that into the page. They might be inclined to just add the bad practice “-01” although it honestly doesn’t make a unique, secure password worse unless the unencrypted password was somehow leaked. The delay in emergency situations mentioned in the post might still happen, although the harm there will depend on the exact situation and likely usually fall into the “annoying delay” category.
I absolutely agree that forced password changes need to die simply because a majority of users still tries to remember passwords and is therefore prone to bad practices, but for someone with a password manager and unique passwords it’s more unnecessary and annoying than actively harmful.
I used to have a friend’s password somewhere that used rotation and I’d just have to do a quick bit of maths to figure out the final number. Surely there are bots that are smart enough to automate this: mysuperstrongpass01 -> mysuperstrongpass02, mysuperstrongpass03 etc. [edit: the article alludes to this, but then I most of our comments here and on the link are not very original either!]
Password reuse is probably the worst security flaw nowadays, and a strong but reused password is basically no better than classics like password1 after a depressingly small amount of time/services.