Monitor use of old passwords

Posted Aug 25, 2021 15:53 UTC (Wed) by rgmoore (✭ supporter ✭, #75)
In reply to: Monitor use of old passwords by kowallis
Parent article: Adding a "duress" password with PAM Duress

I'm not sure how useful a "warn on old password use" process would be. My employer requires me to change my password every 90 days or so, and I regularly forget I changed and try logging in with the old one at least once before I drill the new password into my muscle memory. Any system that looks for old password use is going to have to take that kind of false positive into account, and my guess is that it's going to be far more common than an actual attacker using an old password.

Monitor use of old passwords

Posted Aug 25, 2021 16:49 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (4 responses)

If your employer cares, you can point to the latest NIST documents which clearly state that password rotation is not recommended for security due to the need to continually make (what end up being bad) passwords all the time. Specifically[1], this paragraph in NIST 800-63-3B §5.1.1.2:

> Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

[1] https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

Monitor use of old passwords

Posted Aug 25, 2021 18:10 UTC (Wed) by rgmoore (✭ supporter ✭, #75) [Link]

If your employer cares

I think we've hit the root cause of my problems right here. My employer, like so many others, seems to operate on a combination of hunches and out of date information when deciding this kind of security policy. It's odd, because for remote connections- including accessing email remotely- they've adopted an app-based 2FA that seems like it's much more in step with modern security recommendations. They could add a whole lot more security by going to 2FA for all logins than with all their security theater around passwords.

Monitor use of old passwords

Posted Aug 26, 2021 5:55 UTC (Thu) by tyler569 (subscriber, #137973) [Link] (2 responses)

The problem with this is that companies don't usually have to follow the NIST guidelines, but do have to follow other requirements that are not as sensible. The current PCI-DSS states[1] for example (§ 8.2.4)

> Change user passwords/passphrases at least once every 90 days.

There isn't a lot of room for negotiation there, and so I have to change my password every 90 days. My hope is that organizations like PCI pick up on the new NIST guidance before long.

[1] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3...

Monitor use of old passwords

Posted Aug 26, 2021 20:14 UTC (Thu) by amacater (subscriber, #790) [Link]

And the UK's NCSC - https://www.ncsc.gov.uk/collection/passwords/updating-you... [for system owners] and a simpler what three words approach for home users - https://www.ncsc.gov.uk/blog-post/three-random-words-or-t...

Monitor use of old passwords

Posted Aug 29, 2021 8:10 UTC (Sun) by nilsmeyer (guest, #122604) [Link]

This quickly puts you in a situation where you have to comply with rules that are mutually exclusive.

Monitor use of old passwords

Posted Sep 20, 2021 16:20 UTC (Mon) by kowallis (subscriber, #140201) [Link]

I agree that using the previous password will be a common error of legitimate users. I think however that use of passwords older than that would always indicate compromise. This could be so much more important to log on an ssh server, for instance, than simply having a message in a log that an incorrect password attempt was blocked. Regardless of how an attempted intruder obtained an old password, the attempted use of a password older than the current or previous one should be a red flag for the organization.