Recent, frustrating example: My (business) bank uses FISERV software, and their software expires passwords every 90 days. Their software can notify you about a million combinations of account activities and statuses, except this one. It takes 3 values to login to the account (company ID, username, password). When logging in via mobile app, it never tells you that your password has expired, so I end up trying a few times before I remember it might be an expired password.
Login via web browser, and sure enough it'll tell me my password expired and it's time to change it. They also occasionally enforce 2FA. Passwords are also how you connect things like Quickbooks.
When I called the bank to find out how to get notifications that a password has expired, they said there was no way. "When you change your password, set a calendar event for 60 days ahead..." they told me.
I use a password manager. I have no idea what ANY of my passwords are, as they're very long, very random, etc.
I get your point... but having an expiry that can't generate a notification is really bizarre. And having done enterprise financial software in a previous life (company was actually sold to FISERV, though I never went over), if our customers had been subjected to these conditions, it would have been a massive challenge.
I would think anyone enforcing password expiration would make sure the password is sufficiently (subjective) different from current password. This should be simple to enforce by asking for current password when you are asking for new password. You can perform a text match before computing whatever hash you need to store.
That is certainly how you would do password expiry if you implement it as a true security measure. However, what if you just implement it because you were told 'we need password expiry', either because bosses think it is bad practice or because of regulatory requirements. In that case, you might very well decide to implement 'any difference is fine'. And really, given what we know about password expiry, that is the better approach.
Not having it would be better, but that would be insubordination.
hmmm good way to get users to become heated with your customer support. i've implemented this feature and had the CEO of the company come down 15 floors and tell me personally to revert the change for him coz it was getting confusing for him to remember passwords. Everyone else in the company also demanded it once wind of this request spread...
This was the middle east, and yes they refused to use password manager programs because they didn't understand them
It is largely agreed that Israel won the Arab-Israeli war because their NCO's on the ground were given much more leeway to make tactical decisions of their own. This was in start contrast to the top-heavy and often bureaucratic tactical decision making of the Arab League.
Why am I mentioning this? Well, if you are an army leader, and you know that your soldiers in general have an IQ score of around 82; would you let them make their own decisions on the ground? How about if your soldiers were known for having almost 115?
Yeah, sure, how you decide to make your next password may of course be down to culture, and the decision to have a password manager is perhaps too. However at some point a password manager should be a requirement for even signing up to your service, much less becoming an employee, especially if you already know about the prevalent culture.
It's just too difficult to memorize a completely new, randomly generated password every 90 days. People will have to write them down, and then there's a whole new way for them to be compromised.
Not necessarily, you can have the user input the old password when setting up the new one, check it against the old hash and if it matches, do whatever comparisons you need between old and new.
Even if you don’t want users last 10 passwords to be “similar” (by whatever your definition of similar is), you can still hash the similar variants when you hash the original and check them.
I’m not saying whether this is a good idea or not. I haven’t thought through it.
Yep. I think I can recall exactly one corporate network that prevented password(n+1) combinations. Most don’t and as a result my corp passwords have historically not been great.
> When I called the bank to find out how to get notifications that a password has expired, they said there was no way. "When you change your password, set a calendar event for 60 days ahead..." they told me
This is a very good reason to change bank. That unacceptable answer would certainly induce me to rage quit the service, whatever the inconvenience.
Possibly, but... have you gone in to a bank and asked if you could test drive all web and mobile apps for some period of time to make sure everything was up to snuff?
FISERV is a dominant player in this space. Either this situation is a matter of configuration/settings, or a limitation of their software.
I have no idea that a different bank would have better systems, and it's a Really Big Deal to move business banking.
Login via web browser, and sure enough it'll tell me my password expired and it's time to change it. They also occasionally enforce 2FA. Passwords are also how you connect things like Quickbooks.
When I called the bank to find out how to get notifications that a password has expired, they said there was no way. "When you change your password, set a calendar event for 60 days ahead..." they told me.