Two recent studies, a keynote speech and official advice from US and UK government agencies are pushing for non-expiring passwords. Given the stupid number of passwords I need to remember to do things at work (I'm sure this isn't uncommon) this can't come too soon...
Comments
I've now got at least two different passwords that expire every 30 days it gets unmanageble to remember them all
Good shout! The bossman and I prefer 2 factor on everything.
I currently have (counts list) 17 passwords on 30-60 day expiry on internal systems, and another 23 on 45-day expiry on external systems for work.
Long story short, I have a spreadsheet to manage them, which probably defeats any attempt at security. I definitely use the "transformation" process as described in the article. I am also responsible for generating passwords for one system, and depending on who it is depends on the password (they are one-time passwords which are reset as soon as they login)
Someone I like : random 6-letter word with 2 digits appended
Someone I don't like : 24-character alpha-numeric (with symbols and upper/lower case) random string, sent to them as an image (no cut-and-paste for you!)
Someone I really don't like : Something along the lines of "FuckwitsForgetPasswords"
I'm the same (can't claim to have as many as Pete though!), I don't use the transformation scheme in the article but the passwords I use are often linked by theme, and are not particularly strong to be honest. I have been tempted by the spreadsheet approach.
What I really don't get is that having password expiry must increase the calls/emails/work for the people doing password resets. I'm pretty sure that if someone did a case study or two there would be a compelling case for removing it on that front alone...
Two factor is definately the way to go. Identity checking/authorisation can depend on three things: what the user knows, what the user has and what the user is. A system isn't really secure unless it depends on more than one of these. The first is the traditional password, the second is covered by one time code generating two factor devices or apps (or something like a card reader for your work pass, although the unchanging nature of this makes it weak) and the third is biometrics. Two factor devices plus passwords are winning at the moment, if only because storing biometric databases of your employees is just a tad big brother.
That said, I suspect given the proliferation of biometric sign-ins for phones (one factor again! not very secure) the general unacceptability of your employer having your fingerprints on file is being eroded.
The best argument against large scale, casual use of biometrics is the consequences when the first mass leak of information is released. Its easy to change your password, its not easy to change your fingerprints...