Hacker News new | past | comments | ask | show | jobs | submit login

Is blocking the last 20 passwords a bad thing? I agree the other stuff is bad, but to me, that part doesn't seem bad.



Forced password updates are a bad thing.

If your company does forced password updates, they are not following the NIST recommendation: https://pages.nist.gov/800-63-FAQ/#q-b05

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach.


The company I work for had a ransomware issue, so they got more zealous about security.

They require us to change our passwords every 45 days now. When I pointed out the NIST recommendations of not rotating passwords, they say they are following the guidance of the response team that helped them recover from the ransomware. And that the NIST doesn't actually deal with the real world.


If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach

This is a stretch. Liable? Please show the case law, or the legislation.

(My statement has no relevance to the validity of NIST's recommendations)


Not directly. However NIST is admissible in court and so if someone sues there is now evidence that they should have known better.


Anything is admissible in court, the judge merely has to allow it.

There are 1000s of such organizations, and many conflict with each other.

My point is, it's inaccurate to say you are liable for not following NIST. I could easily say you could be liable, for not following me.

Does that make it so? No.


NIST SP 800-63B is informative, not normative. It codifies existing industry-standard best-practice, but is not in itself law. However, not following best-practices may be argued as negligence if it leads to a breach or decrease in shareholder value.


Internal password resets are a bad thing. It has its place in document sharing/collaboration platforms not connected to AD as an additional layer of revoking access when people leave a company.


It leads to less security as it is more likely that the new password will just be an old one with an incremented number at the end.


And unless there is a minimum password age some people will just change it 20 times and then back to the same password.


The worst part is it actually leads users to boasting about how they `beat the system', essentially telling their coworkers what their pattern is, making the password easier to guess.


I have long felt that organizations that require password rotation for employees should, when the users are changing their passwords, record and post the old password to an internal site (without any identification of the user) for educational (and mockery) purposes.


That will help attackers. People often make passwords similar to their old passwords. A machine learning model could be trained on this list.


Myself and most people keep our login passwords written on paper in our desk because of this stupid practice. Can't use previous passwords and new password every 90 days. This is on top of 2FA.


Are you saying that "old one + number" is less secure than "old one"? That doesn't sound right.


Even if this rule technically seems benign, together with the forced change it encourages users to game the system leading to predictable patterns, eg adding a rotating letter or digit combo at the end of a same password.


Is that worse than the password without the rotating letter/digit?


In combination with forced changes, it leads to…

Password1

Password2

Password3

Etc


The one I see that stays updatable is:

PasswordFebruary2024!

Where month and year update on the date of forced password change.


Oh, that's a good one. <runs off to update corporate logins>


ITYM

hunter3

hunter4

hunter5


I'm closing in on password100... It is the only sane thing to do, a good password is hard to memorize. (passphrases are must better, but hard to type correctly first thing in the morning and take too long when I need to type my password a dozen times a day)


Is that worse than

Password1

Password1

Password1

Etc?


I mean it's great for 99% of your passwords and pretty much forces people into using randomized generated passwords.. but I still have to remember at least ONE password by heart. Whether it's 32 characters or 16 or what not, I still need SOME way to get into my password manager to even get to my passwords. So what, I'm going to make my password tacokissies69 and.. what, add a 0 every 6 months so I pass the 20 password minimum?

So a hacker can infer that my password is tacokissies69000 of some sort..


I'm not really sure how this problem is related to banning using identical passwords as past passwords.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: