Today I had a conversation with several club members on passwords. The most recent NIST recommendations say that having a password expiration policy is not good practice (in other words, new evidence has come to show that what we thought was good practice is not actually good practice).
The idea behind rotating passwords was that if a hash, or the text stored in a database that represents the password (a hash is irreversible), is ever stolen, it would take about 90 days for a computer to crack it brute force. By then, the password would be changed and even if you only change 1 letter, the hash would be completely different. The hashes for ‘password’ and ‘Password’ are completely different for instance.
NIST now says that this leads to people writing down their passwords on paper, or worse, keeping them in plaintext on their phone, or stored in a browser. But, to me this is a human habit error, something I have made a bit of a habit of studying. In order for policy changes to truly be effective, your habits must change somewhat. Though, as one club member pointed out to me, not having to change your password but instead making someone pick a 30 character password made up of easily remembered words, could be just as good, because the time it would take to solve that hash without knowing compromising data about the person would be longer than any human has ever lived.
It’s interesting, mostly because it highlights a big disconnect in getting everyone updated and how there are often misconceptions about what is going on. I remember a few years ago everyone freaked because a big vulnerability was found in PGP for emails. The vulnerability was only in the plugins that encrypted and decrypted email, but many reports stated incorrectly the vulnerability was in PGP itself. Which was made worse by one article arguing the vulnerability doesn’t matter because you “shouldn’t be using PGP anyway.” While it is true that it won’t ever be the end all be all, it stands for Pretty Good Privacy, not Ultimate Good Privacy. If the threat actor is a nation state, you are probably gonna need something else.
I know of plenty of organizations that have these types of rotating password policies in place and I can see why they have them. But, as that one club member pointed out, the worst misconception about passwords is that they have to be a WORD. They can be a phrase too, and it’s honestly probably more secure against a simple hash stealing attack.