this post was submitted on 06 Dec 2023
151 points (96.9% liked)

[Outdated, please look at pinned post] Casual Conversation

6605 readers
1 users here now

Share a story, ask a question, or start a conversation about (almost) anything you desire. Maybe you'll make some friends in the process.

RULES

Related discussion-focused communities

founded 1 year ago
MODERATORS
Mysterious_Macaxeira@lemmy.world
shinigamiookamiryuu@lemm.ee
Bl4ze@lemmy.world
KaneLivesInDeath@lemmy.world
orangeNgreen@lemmy.world
neidu2@feddit.nl
151
Any company that still insists on forced password resets and frequent changes needs to learn about Social Engineering and Human Factors. (yiffit.net)
submitted 10 months ago by l_b_i@yiffit.net to c/casualconversation@lemmy.world
61 comments fedilink hide all child comments
 

These are the same companies that don't support second factors, only have their app as a second factor, or only SMS second factor. Is it too much to ask for smart card or token (yubikey) support?

you are viewing a single comment's thread
view the rest of the comments
[–] lurch@sh.itjust.works 1 points 10 months ago (1 children)

Well yes, me and the bank employees using a password manager does not stop social engeneering and human factors, but it limits the access of the attacker to the time period of the forced password change. If the attacker changes it, he is found out immediately, because the bank employee loses access. When the password expires the bank employee generates a new random password and the attacker loses access. Of course, using OTP features or a security token is better and narrows the attack window even more.

[–] l_b_i@yiffit.net 0 points 10 months ago (1 children)

I don't think you're following.
First, you are an account holder in my answer not an employee.
Second, the reason its an issue has nothing to do with the actual password or password security. Frequent changes lead to simpler passwords. Someone is likely just to increment a number, so a new password is barley a hindrance if the previous one is compromised. Frequent changes are going to lead to more password resets, service personnel who have to deal with people forgetting passwords due to frequent resets/ changes are more likely to be complacent allowing an attacker to gain access through a reset. For company based passwords, frequent changes and high complexity requirements are more likely to lead to someone writing a password down near where that password is used.

[–] lurch@sh.itjust.works 0 points 10 months ago

No, you're not following. (I assumed I was an account holder in that example, but it's not important.)

Someone is likely just to increment a number, so a new password is barley a hindrance if the previous one is compromised.

Not if they use a password manager and click a button to completely randomize a new password. They do not have to worry they forget it, because they only have to memorize their master password.

KeePass Password Generation Options

Why would someone who was told to hit that button by IT increment a number instead?