Periodic password changes and other ill-advised password policies

The main ones (h/t Bruce Schneier):

  • Periodic password changes address a problem on shared Unix minis in the late 1970s, not now.
  • Complexity rules are pointless, since the main risks are phishing and reuse, not guessing.
  • Password managers help a lot, web sites that try to prevent their use are, ah, sadly misguided.

References

https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118

https://www.cerias.purdue.edu/site/blog/post/password-change-myths/

https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-to-die