Nach Ansicht der US-Regierung sollte es ein Kinderspiel sein, Benutzer zu zwingen, ihre Passwörter regelmäßig zu ändern

https://www.pcgamer.com/software/security/forcing-users-to-periodically-change-their-passwords-should-go-the-way-of-the-dodo-according-to-the-us-government/

18 Comments

  1. ElevationAV on

    what they’re saying makes a lot of sense, especially when half the time you can’t use your last 5-10 passwords so there’s the constant need to come up with something new

  2. First off, its an article to sell you a password manager.

    But there’s two competing ideas here:

    1) Since we are human and have human limitations, requiring us to constantly change our passwords encourages us to make passwords that are easier to hack or bypass. (i.e. if the password is too complicated you are likely to write it down, and if you write it down someone can physically steal the password you wrote down).

    2) Since we are human we can only remember so many passwords and since so many things require logins we will probably wind up [reusing passwords.](https://xkcd.com/792/)

    Solutions to the first problem make the second problem worse. [If we get a password that is exceedingly hard to hack or bypass that we can also remember easily](https://xkcd.com/936/)…. we will reuse that password more often. If we never reuse passwords then we will need to “store” more of them meaning they will be less complex or easier to bypass.

    That brings in the ads for purchasing a password manager. “Why try to remember the passwords yourself when you could give them all to our app and our app will remember them for you?” But if we are being honest… that’s almost the exact same problem as writing the password down in the first place.

  3. DualActiveBridgeLLC on

    The concept of having to periodically change your password always struct me as being very similar to security through obfuscation, just on a user side instead of an application side. Especially now that we have a reliance on random password generators. 2FA was supposed to be (1) something you know (2) something you have. But we don’t really “know” our passwords anymore.

  4. amorphous_blob_1169 on

    lol this article reeks of Russian propaganda…I’ll be changing my passwords, thanks

  5. AsperaAstra on

    When you have shit like this you just get Pass.word.1 then pass.word.2 then pass.word.3 nothing fundamentally changes. The best password field will allow you to type a whole phrase as a password. Something straightforward and obvious but wildly obscure. Eg, “An apple falls because of gravity” would take trillions of years to brute force. But obviously the phrase is contextual to you. 

  6. giggity_giggity on

    You know what else is bad? Password change forms online which don’t allow you to copy and paste. I use a password manager, the most secure password is a long random (with certain characteristics) password. But by making people type it rather than copy in from a password manager, they’re encouraging shorter, less secure passwords.

  7. Passwords themselves have to go away. There are better ways to secure logins than letting users use “password123” as their security. Ideally perhaps a combination of biometrics (this is your “login name”) and then a hardware key like a Yubikey to serve as your “password”. Because people cannot be trusted to use sane passwords. Not even 2FA is fully safe.

  8. Marvinas-Ridlis on

    Ideally social login or 2FA authentication should be implemented everywhere. No use for password if hacker is unable to access authenticator or email.

  9. CurrentlyLucid on

    I use real long ones all separate and I change them every so often.

  10. ForsakenRacism on

    The government literally makes me change my password every couple months at work

  11. <same old password>01

    <same old password>02

    <same old password>03

    <same old password>10

    <same old password>01

    And on and on. Seriously, I’ve been doing this for DECADES now.

  12. Daedelous2k on

    2FA should make this less of an issue.

    But changing passwords is just not going to be workable in the long run. People will forget their passwords or just recycle old ones. The only time people really DO change their passwords is if there is news of a compromise.

  13. jackcatalyst on

    That creator Thor actually said this cycle of resets created a consistently easy to abuse vulnerability that he was able to expose across multiple different clients.

  14. needathing on

    If your password isn’t compromised, there’s no need to change it.

    If your password is compromised, you shouldn’t wait another 87 days to the expiry to change it.

    Either way, frequency-forced changes don’t help.

  15. Enjoy-the-sauce on

    All that happens is people end up with so many passwords in their password graveyard that they run out of passwords they easily remember and start writing them down somewhere, defeating the whole purpose.

  16. rainysexxy on

    This was a thing for a long time, but majority of companies simply won’t follow. this is the problem.

Leave A Reply