Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

When I am forced to rotate an otherwise good password, I swap the suffix to the front of the password

If they have some perverse check to make sure I am not re-using one of my last X passwords I just rotate in another permutation like A2!



This is the exact reason why NIST, for the better part of a decade now, has strictly recommended against arbitrary password rotations. All it accomplishes is frustration for users with no tangible increase in security (because everyone just increments their password, or follows other simple patterns).

Some research suggests that arbitrary password rotations results in a real-world decrease in security, because as users get frustrated they make simpler and simpler passwords.


I worked in IT at a tech company that had mandatory 90-day password rotations. That place had the highest rate of “password on sticky note” that I’ve ever seen.


On the tenth call to my bank in the same year to reset one of our user passwords, the account rep just volunteered to them the information that "there is an option you can check on an obscure settings page to NOT have the mandatory password rotation, you know".


At a bank back in the Blackberry days they were handed out with Qwerty1 as the default password. Just incrementing the digit would get you into 80%+ devices in the firm.


I worked for a financial company that had 29 day password rotation. One day I accidentally logged in as my colleague. Our user names differed by just one letter so I simply mistyped. It turned out we used the same password scheme to keep up with the rotation and stupid special character requirements.


My memory is that PCI regulations require password rotation every 90 days - also that the minimum password length should be seven characters, not the eight I always answer when quizzed.


PCI DSS 4.0[0] requirement 8.3.9 updates this to 12 characters and only requires rotation if the password is the only factor used for authentication.

[0] https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard...


If I remember correctly they only recommend against password rotation when MFA is in place, which is significantly more important anyway.


Unless there's a rate limit for changing passwords I just rapidly change them X+1 times and arrive back at my original. This only applies to work stuff, which I don't keep in my password manager.


In my experience, changing the password at big corps usually locks you out and requires a call to IT. I had a success rate of about 50% when I had to change passwords. It was the most frustrating thing...

"Oh yeah your password change properly is not synced to all servers yet. Just wait and try again later"

"Oh you tried the new password too many times while it was not synced yet. Your account is now locked. You need a manager approval to unlock your account."




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: