topic Re: Users forced to change password? in Peer-Peer Topics

Users forced to change password?

jasoncrcsd — Thu, 19 Oct 2023 11:42:31 GMT

So yesterday we had many many calls from users complaining they were forced to reset their passwords. We have them set to expire at 180 days but its unlikely all of these users happen to have all changed their pwd last 180 days ago. Could something have caused this?

Re: Users forced to change password?

Kim_Nilsson — Thu, 19 Oct 2023 12:05:29 GMT

First the obligatory comment that you should stop doing that. Nobody should change a proper and not compromised password. Ever.

Re: Users forced to change password?

jasoncrcsd — Thu, 19 Oct 2023 12:31:45 GMT

Yes I know I've tried fighting that battle trust me. But I have a boss and... well you all know. I've even sent them the research so they know its not just me saying that.

Re: Users forced to change password?

Dave_Burek — Thu, 19 Oct 2023 12:48:33 GMT

I agree with Kim. But, we run into the same issues with Cyber Insurance and our Financial Auditors requiring it.

Re: Users forced to change password?

jasoncrcsd — Thu, 19 Oct 2023 13:04:19 GMT

Now today I have sub accounts prompting and those accontys do not have a psss exp date. Somethign is wrong in Google but they say nothing

Re: Users forced to change password?

jasoncrcsd — Thu, 19 Oct 2023 13:25:22 GMT

Yea for us too

Re: Users forced to change password?

Kelly_McMahon — Thu, 19 Oct 2023 16:42:12 GMT

Not arguing, but curious why a proper and not-compromised account should not change their password?

Re: Users forced to change password?

MarkLoundy — Thu, 19 Oct 2023 23:10:08 GMT

Kelly,

Probability math. A strong password is just as likely to be brute-forced five minutes after it’s created as it would be after six months. It’s also why lottery, or other gambling numbers are never “due.”

So why needlessly annoy users? It makes them more resistant to valid security requests.

Re: Users forced to change password?

Kim_Nilsson — Fri, 20 Oct 2023 07:51:57 GMT

Because a good password can't be hacked (within reasonable time = hundreds/thousands of years), only leaked (compromised).

That means there is almost no security risk keeping a good password "forever".

Also, when forcing password changes, users keep making their passwords less secure, or have them on a post-it on their desk or directly on the computer. This is what all research shows, and exactly why NIST not only changed their policy, but outright says to avoid forced changes, unless compromised.

Re: Users forced to change password?

Kim_Nilsson — Fri, 20 Oct 2023 07:52:54 GMT

That is where you have to put your foot down. They are wrong, and need to be told so, or they will keep recommending/forcing bad practice forever.

Re: Users forced to change password?

Kim_Nilsson — Fri, 20 Oct 2023 07:53:40 GMT

That is strange, but afaik, you are so far the only one reporting the issue.

Re: Users forced to change password?

jasoncrcsd — Fri, 20 Oct 2023 15:40:36 GMT

Yea it could be. its not really as big an issue as they are making it.

Thanks

Re: Users forced to change password?

alexgrutza — Fri, 20 Oct 2023 18:34:09 GMT

I will say that NIST (if you're in the USA) doesn't even recommend password changes anymore in their guidelines and Microsoft hasn't in at least a decade or more. We've gone away from password changes unless we get notified of compromised accounts. Luckily our insurance as far as I'm aware doesn't have a clause around this.

I'd have to agree and also disagree with Kim because if the Insurance is dictating this, we you have a say. We can suggest things, but at the end of the day it's the Insurance that is going to be paying out based on their contract. It could also be that if you don't comply and change passwords X-days, the premiums may go up substantially which organizations (especially edu/nonprofits) cannot afford.

It's hard enough to find a Cyber Insurance provider as EDU is especially targeted. Our previous Cyber Insurer exited the EDU market completely and dropped all schools because Edu caused them to pay out so much money.

Re: Users forced to change password?

Justin_W — Fri, 20 Oct 2023 19:05:58 GMT

For what it's worth, our Auditors (not Cyber Security Insurance co) were requiring password changes until I took the time to point out to them that it was a dated practice.

I shared some of the resources on new best practices, and the following year they had removed the requirement.

So it may be worth trying if you hadn't.

But yeah, I certainly wouldn't count on getting them to change.

Changing a strong, un-compromised password is bad practice -and may actually increase odds of bad password habits. BUT - the reality is that most places/people still don't realize that their password HAS been compromised until it's too late. So I can still see the logic in just taking the oldschool "hammer" approach.