This practice is not recommended anymore, yet still found in many enterprises.

  • MystikIncarnate
    link
    fedilink
    English
    arrow-up
    6
    ·
    4 months ago

    IMO, password changes were always bs. I’m a tech, and I always disagreed with it.

    Longer, better passwords were always the better option. But try to convince your average worker to memorize a 15+ character password and they’ll tell you where to go.

    Meanwhile… https://xkcd.com/936/

    Today, with MFA… Good MFA, not the SMS bull crap… Password “leaks” or breaches, are effectively a thing of the past.

    Oh, you have my password? You guessed it, or found out leaked on some list? Cool. Good luck guessing the seed for my MFA, in the time it takes me to go change my password, locking you out of my account. MFA failures should be reported to users. Often they’re not.

    Short story: I once had a notice from Twitter about access to my account from a foreign location. Kudos to Twitter, since they recognised the odd behavior and stopped it (this is pre-musk Twitter BTW). I logged in, changed my password using my password manager (the previous password was too simple, from before I had a password manager), then added a FIDO MFA to my account. I tweeted out to whomever was trying to log in to my account, to thank them, as my Twitter account now had better login security than my bank. IDK why banks don’t support MFA beyond sms, but that was the case at the time, and largely, that’s still the case where I am.

    From a security standpoint, I recommend you follow xkcd’s example, generate a long passphrase for yourself, and use it to secure a password manager (and whatever recovery options they have, eg, email), and add MFA to that, and anything else that supports it.

    It’s a pain to do, but honestly, better than waiting to see if someone is going to be able to log in to your stuff when your password is inevitably leaked by someone.