Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Why is changing password frequently bad for security? Could you elaborate
that please? -
@tonypolik if it's a password that you need to remember yourself, you need to make it simpler to accommodate the fact that you need to remember a new password every three months.
-
try tricking administration into giving you a temporary password. then use that forever since those usually don't need to change.
also: password managers. -
atheist99012yLast time I had to periodically change my password, I just named 3 things I could see. Hello "StaplerCloudWindow". Stupid rule.
-
@tonypolik the more complex a password, the more secure it is. However if it's a password you actually need to type in, you'll have a hard time remembering it. If there's a policy to change the password every so often, people will tend to try and use simpler passwords, or (especially in company IT settings) take note of their password in places very close to their PCs.
-
The idea behind regularly PW changes is, while a bruteforce attack is going on, you change the PW so they have to start from the top. Novel idea, but hopelessly outdated (2FA/MFA, rate limitations, fail-to-ban, etc.).
In combination with a PW policy, people will use less complex PWs (instead of a PW manager).
PW managers don't work for BIOS or Bitlocker. Also you need a master PW for the PW manager. And then ppl want to share PWs when the person in charge takes their vacation. And you can have multiple PW managers. And multiple Authenticator apps (Google + Microsoft + some no-name crap who build their own standard).
And as a dev, I would like to disable authentication on the app I'm just working on locally... -
@electrineer for your everyday website, yes. Ever logged in to Google on a new device? MFA all the way
If I have to change my domain password every 3 months for a bullshit out of date security policy (there's plenty of evidence suggesting that changing passwords is actually worse security), then maybe, just FUCKING maybe, make sure that that password change appropriately filters down to things like SQL Server so I can keep doing my goddamn work.
rant