May 27, 2023 at 12:00 am
Comments posted to this topic are about the item Validating Password Expiration
May 30, 2023 at 7:45 am
There have been papers written stating why forcing users to change passwords on a regular basis is bad. Ultimately, it leads to people writing passwords down in some insecure way.
Better to have password policy rules that enforce decent standards, i.e. 12+ characters, upper/lowercase, etc..., and use account lockouts after too many failed attempts.
May 30, 2023 at 2:58 pm
There's a lot of research for sure, and I think frequent changes are bad for many users. Better for preventing hacks across time, but not great for people who have other things to worry about. I like the directions with MFA and 2factor, though changing passwords is still something people ought to do at some point. Never know when a backup of something is compromised and hackers have a lot of time to brute force things.
I hate many designs of software that limit characters and lengths, as well as those that try to prevent pasting of passwords.
May 30, 2023 at 6:27 pm
I hate many designs of software that limit characters and lengths, as well as those that try to prevent pasting of passwords.
The former drives me crazy: I have accounts on non-work-related sites where password lengths allowed are as short as 6! And it should be an embarrassment to not be able to handle any valid ASCII character (at least up to 127) in a password. I recently changed all my passwords due to (yet another) LastPass breach, and was surprised by how many sites still can't handle some or even any special characters.
My least favorite instance of the latter is perpetrated by Microsoft, involving making a change to my domain account password.
May 30, 2023 at 6:27 pm
[This was a duplicate comment. This site neither prevents double submission nor does it provide for a user deleting their own comment.]
May 31, 2023 at 10:05 am
Steve Jones - SSC Editor wrote:I hate many designs of software that limit characters and lengths, as well as those that try to prevent pasting of passwords.
The former drives me crazy: I have accounts on non-work-related sites where password lengths allowed are as short as 6! And it should be an embarrassment to not be able to handle any valid ASCII character (at least up to 127) in a password.
Echo both of these comments. As a good product tech lead, previously a developer whenever I encounter this on a website, for example, I always make a point of using their contact page to feedback about this. Depending on what the site is for I simply don't use it at all if it has terrible password security.
The good thing about changing passwords recently is that browsers, like Edge for example, will tell you if your passwords have been used in known breach, or if you are using the same one in multiple places and will autogenerate one for you. I using Edges built in sync'ing so that I can get it to suggest random passwords and use them across desktop/laptop/tablet/smartphone.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply