It is for the same reason that credit cards expire - it limits the usefulness of the card (or password) if it gets compromised. If someone steals your password the worry isn't so much that they will lock you out, rather that they will use your account to access systems that are off limits. Maybe they get your password and don't even lock you out, they just use your account to do whatever they want to do (read your e-mail, browse web, whatever.) At some point your password will expire and they will no longer have access (provided they don't change it on you.)
At any rate, password enforcement policies (complexity requirements, expiration, etc) are low hanging fruit. They are effective and very easy to implement. It causes minor inconvenience to end users but the trade-off is worth it.
It's debatable whether expiration policies increase system security. When users are forced to change passwords frequently, they tend to choose passwords that are easier to remember or (worse) write down their passwords. These unintended consequences can actually make security worse than just forcing users to have a complex password that never expires.
http://www.cryptosmith.com/node/218
It's debatable whether expiration policies increase system security. When users are forced to change passwords frequently, they tend to choose passwords that are easier to remember or (worse) write down their passwords. These unintended consequences can actually make security worse than just forcing users to have a complex password that never expires.
http://www.cryptosmith.com/node/218
My work requires me to update my password every quarter and I understand the theory that if someone knows it then when i change it they no longer have access. But in reality is this true. If a hacker or other nefarious person gets it they will lock me out of my account right? They will not just let me change it and shut them out of the system right?
Count me as someone who writes down their pw/increments it by 1 every time a change is required.
At work I have close to 50 different logins. Some expire every 30 days, 60, 90, while others never expire, or are even shared with the rest of the dept. It's a pain.
It can't be THAT hard to make it so everything authenticates to a single point.
IMO what companies should do is have a single point of authentication that is very secure such as two factor authentication, but have that as the ONLY password.
Also forcing to change is more or less useless. Let's say that at this very moment a brute force bot is trying to guess your password. You can change it all you want, but chances are decent whatever you change it to has not been tried yet by the bot. It's a hit/miss. What every authentication system needs is brute force protection. You can have the most secure password in the world, but if there is no brute force protection on the system, a bot will eventually get in.
Setup a Linux server, forward the SSH port to the internet, leave it like that. Use a very basic alpha numeric password for root. Give it 5-10 minutes and it's hacked. Install fail2ban or other brute force protection system, you wont get hacked. Heck, disable root logons, make a user account with a common name, like asmith or something. That account will get hacked within maybe 30 minutes. Brute force is the easiest way to hack, and also the easiest thing to protect from.
I never said they were, I'm just saying, it should be standard. If they want to expire passwords, at least make it so there's only one to remember. Basically, use something like ldap, and don't buy any solution unless it supports ldap. Or do everything in house. there's lot of ways.
People 'suing' due to compromised password bullshit is the reason why companies just follow the painful approach to it's user base. Most of the time the C levels have it easier.
And of course if you are in any type of Network support that matters you can set your password outside the rules FTMFW.[/b\]
My biggest problem is when some site limits me to under 12 characters for my password. Some go 16 which still doesn't work for me.
So then I spend a lot of time doing password resets which just diverts that traffic to unsecure email.
That's a pretty crappy system if it allows an admin to break the password policy. Nobody should be able to "work around" a password policy.
Almost EVERY SINGLE instance of Active Directory in existence does this. The admin can check the box that says "password never expires" on anyone's password. That is circumventing the password policy.
.
It makes sense in some situations, but would be a huge security risk in others. Imagine having to explain to a customer that their sensitive data was stolen because you didn't want to have to remember multiple passwords, so your password was compromised while logging into the VPN and that also gave the attacker access to firewalls, routers, databases, documents, etc.
Almost EVERY SINGLE instance of Active Directory in existence does this. The admin can check the box that says "password never expires" on anyone's password. That is circumventing the password policy.
As for brute force; Resetting passwords IS the way of preventing brute force. It would take a computer EONS just to break the password P@$$word4231, but like was already mentioned, the password would have been changed by the time it would have been cracked by any means, whether it be rainbow charts, birthday attacks, dictionary attacks OR brute force, and be obsolete.
IMO it would be so much easier to use social engineering to gain access to a system rather than trying to gain access through a firewall or VPN solution. I'm trying to get my office to implement a "no tell" policy to prevent this very thing. If we need to work on someones machine we just ask for the password and they give it to us no questions asked. ANYONE could pose as a IT person via phone or even in person, the enterprise is big enough with enough IT contractors coming and going that someone could get access pretty easy with a flippant line like "Hey i need to correct some errors we've been seeing on your machine, give me your password and i'll take care of it later today". person will hand over the password without a second thought.
If a no tell policy was in place where we say NO ONE... not even IT, under ANY circumstances will ever ask for your password... then the same question throws a red flag up to that employee and the imposter should be outed. Sorry, tangent there...
Point is, it isn't completely pointless to change passwords in any case. The human factor is a factor with any security policy.