I have a complicated google password - I use it no where else. I have a security key. In 12 years I've NEVER had to change my google account password AND I have not been hacked. This works well. Because google is resistant to brute force I don't even bother adding tons of weird special characters.
I worked at a govt related agency. They had to change passwords every 30 days and there was a dual password requirement (one to login to the VPN, the next for the app). Result?
- Many folks used a shared account with a public password emailed out every 30 days so everyone else did not have to deal with all the hassles of the password expiration dance. It was also super hard to onboard anyone new (ie, 3-4 months for staff with 12 month projects) This account ended up posted next to every computer.
The idea that making security so user unfriendly will makes folks like and use security is a ridiculous approach.
- Rate limit attempts
- Block after 4 tries for an hour, after 8 tries till a reset
- Screen against password lists
- Screen out other obviously bad (ie, too short etc).
- Allow hardware 2fa BUT allow staff to validate computer.
If you make your security policies into a problem for your people trying to do their work, they'll find ways to work around it.
That either means 1) your policies are misplaced and you need to relax then, or 2) you need to fire everybody who creatively works around them.
If your adversary is Mossad, the option 2 is the right one. If your adversary is not-Mossad, you can almost certainly have a security policy that people won't feel the need to work around.
There are, of course, shades of grey below "Mossad adversaries", but in my opinion at the upper end of that you have policies that include providing every employee with a good password manager, TOTP apps/devices, and/or USB 2FA keys - and choosing services which integrate properly with them.
"Change your password every X days" is an admission that you're going to leak passwords somehow, and that you only care about your data/systems enough to close the attack window down to X days. Which means you're screwed before you start, and may as well just turn everything off now.
I have a complicated google password - I use it no where else. I have a security key. In 12 years I've NEVER had to change my google account password AND I have not been hacked. This works well. Because google is resistant to brute force I don't even bother adding tons of weird special characters.
I worked at a govt related agency. They had to change passwords every 30 days and there was a dual password requirement (one to login to the VPN, the next for the app). Result?
The idea that making security so user unfriendly will makes folks like and use security is a ridiculous approach.- Rate limit attempts - Block after 4 tries for an hour, after 8 tries till a reset - Screen against password lists - Screen out other obviously bad (ie, too short etc). - Allow hardware 2fa BUT allow staff to validate computer.
This alone gets you a ton of mileage