this post was submitted on 19 Jul 2024
178 points (98.4% liked)

Asklemmy

43757 readers
2316 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy ๐Ÿ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[โ€“] some_guy@lemmy.sdf.org 40 points 3 months ago (1 children)

We make users change their passwords every 90d. And log them out of their devices once a week. I don't think this adds any security at all. It just reduces productivity (IMO).

[โ€“] Godort@lemm.ee 40 points 3 months ago* (last edited 3 months ago) (1 children)

Not only does password rotation not add to security, it actually reduces it.

Assuming a perfect world where users are using long randomly generated strong passwords it's a good idea and can increase security. However, humans are involved and it just means users change their passwords from "Charlie1" to "Charlie2" and it makes their passwords even easier to guess. Especially if you know how often the passwords change and roughly when someone was hired.

Ideally, your users just use a password manager and don't know any of their credentials except for the one to access that password manager.

If they need to manually type them in, password length should be prioritized over almost any other condition. A full sentence makes a great unique password with tons of entropy that is easy to remember and hard to guess.

[โ€“] slazer2au@lemmy.world 4 points 3 months ago

SSO with passwordless is the ideal world.

yubikey or similar phishing resistant mfa with biometric is the goal but smartphone number matching is a pretty good