• ⇤
• ⇽
• ≡
• ⇾
• ⇥

good-bye rotating passwords

the journal of Michael Werneburg

twenty-seven years and one million words

There is new guidance for US government agencies and anybody else who is beholden to the NIST regime regarding password rules. I am very pleased that this is happening, as we've been doing a lot of crazy crap for many years. Like password rotation every three months: this almost willfully reduces security by having people cycle through some set of passwords so they can remember where they are. E.g. You start the job so you choose a password involving your home state. Then when it's rotation time, you choose the state where you went to university. Then the one where you were born. Soon you're trying to remember which of the square states you're on, and then when pressed you try your home state again and it accepts it. This is BS!