One of our systems at work don’t let you use the past thirteen passwords! Plus monthly password changes. Guess who’s got a generic password that has an ever increasing number at the end of it…
Pretty much everyone, which is why NIST no longer recommends automatic password expiry anymore.
This is what password managers are nice for. I only know like two of my passwords all across the internet.
I’m pretty sure most people do when faced with a situation like that
If it were 12, I’d say use the month, but 13…
Lousy Smarch weather
Lunar calendar
Lunar calendars also have 12 months but each is shorter and so the year is shorter. Some have a leap month but that doesn’t help either. Sure, you can iterate thru these names but that doesn’t help you to remember to current one. The idea of using months is that you know in which month you are right now.
FWIW: these types of password rules are discouraged by NIST -
- Eliminate Periodic Resets
Many companies ask their users to reset their passwords every few months, thinking that any unauthorized person who obtained a user’s password will soon be locked out. However, frequent password changes can actually make security worse.
It’s difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).
So if an attacker already knows a user’s previous password, it won’t be difficult to crack the new one. The NIST guidelines state that periodic password-change requirements should be removed for this reason.
They also recommend implementing 2FA, but not OTP or TOTP as they are now considered not secure enough. Use 2FA that is FIDO2 compliant such as biometrics or fobs like Yubikey.
How is a TOTP not secure? It’s a random string that changes every 30 seconds. I mean shit, I am LOOKING at it, and sometimes fail a login because I run out of time.
The attack vector is as follows:
- Evil.com phishes a user and asks for username and password for Good.com
- Evil.com immediately relays those credentials to Good.com
- Good.com asks Evil.com for TOTP
- Evil.com asks victim for TOTP
- Evil.com relays TOTP to Good.com and does a complete account takeover
The various physical dongles prevent this by using the asking domain as part of the hash. If you activated the dongle on Evil.com, it’ll do nothing on Good.com (except hopefully alerting the SOC at Good.com about a compromised username and password pair).
Yes never made much sense to me either.
Spotify won’t let you use a password you’ve used in the past at all so now I don’t even know what my password for it has evolved into and I just reset my password and type something random in every time I need to log in lmao
That’s basically just 2FA with extra steps (•_•)
Why you click “Forgot my password” and they email it to you.
Security lvl > 9000
Might be you got your password scrambled after a compromised account: It denies attackers the opportunity to use your compromised password.
Why does this happen though? I always wondered why is it that a platform recognises your old password only when you are trying to change it
If there were a data breach where a hacker could figure out the encryption algorithm, you don’t want users to reuse an older password because those older passwords could’ve already been cracked.
By the way, this is why you should also never use the same password for every site. If one of your passwords is leaked and linked to a similar username or email, everything is vulnerable. I’ve had this happen before (the Target breach). After that I started using SSO exclusively, with a random 16 char password manager if SSO isn’t an option (crossing my fingers that bitwarden doesn’t get hacked like LastPass)
I understand when you are prompted to change, but not when you aren’t. As I mentioned in another comment I remember Epic basically trolling me into resetting my password almost daily at some point
There could be many reasons they don’t prompt you to change: they meant to send an email but your notification preferences disallowed it, they sent an email and you missed it, they wanted to keep it quiet, they forgot to add the message and ux flow to change password, or they’re incompetent and didn’t know they needed to do that.
The Epic thing I’ve never seen before but that’s definitely incompetence and/or a very weird bug that just slipped past them.
Microscopic trolls inside the internet tubes. I think that’s the technical term.
Because it runs the hash again on the new password against the old one, if it matches the old one you are told to change it as you used the old password again.
Yes yes but I don’t mean when I’m told to change one. I mean when I’m trying to login as usual, password doesn’t work, so I change it. Just to test of the password I was using was wrong, that’s what I use first- and it’s rejected.
I remember Epic would do this on a DAILY basis at some point last year. It was so irritating. “Ah yes the brand new password from yesterday that worked yesterday but that we didn’t recognise on the login page today? Well we do recognise here on the reset, jokes on you!”
I always find these types of posts frustrating. Apart from your desktop password, a password manager solves a lot of these issues. Just make the password manager super secure, use 2fa and then auto generate all other passwords.
just make the password manager super secure
Remember when everyone said LastPass was that manager?
There are self-hosted options with strong encryption. My BitWarden vault is just as secure as if my laptop were stolen. Argon2id to secure the key for AES256 encryption.
I have to use what my works says 🤷♂️
The issue the post is about applies to password managers too.
I forgot my keypass password
