On Mon, Dec 6, 2021 at 8:59 AM Kurt Seifried <k...@seifried.org> wrote:
> I think it's not an OBSOLETE issue, it's an active change in policy due to 
> further research and knowledge.
> A great parallel is "3DES is good. USE 3DES!" which was a GREAT policy in 
> 1998. It has since been retired and its use has been banned by NIST after 
> 2023 
> (https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA).
> Why is the password aging issue any different? In fact, it's pretty much 
> identical, NIST said this was a good idea, further research/technology 
> movement happened and we learned it was a bad idea. So bad in fact it should 
> probably be banned.
> Also, the ONE positive aspect of rotating passwords, which is an attacker 
> gets a password, uses it, and this effectively locks them out, means your 
> controls are so weak that:
> 1) you can't detect an attacker in the system and you basically have to hope 
> they get locked out after 30/60/90/whatever days because of password rotation
> 2) your users are choosing bad passwords and/or exposing them somehow 
> (phishing?) which means your access controls are basically doomed to fail at 
> some point anyways
> and password rotation effectively covers this up and prevents real movement 
> forwards.



Reply via email to