Reality is that a password expiration policy quite often leads to password simplification (e.g., having an incremented number in the password, post its on the screen,
...).
I'd prefer 2FA and (allowing / encouraging) longer / stronger passwords over change policies.
At one of my previous employers the default password set by the help desk was [company_name]@123. They did a password audit and a full third of the employees had a variation of this password for their real password. It's not Google, but if it were, passwords were things like: google@321, google@456, etc.
I prefer these methods as well, but password simplification is a user choice, not a causal effect. Any secure password generator and vault, keyfobs and various other methods are great ways to compensate for a password that expires every so often. While I'm not entirely in line with the idea of "forced" password expiration, it's often the only way to ensure that the end user actually updates their password regularly. There are definitely better ways than raw expiration. Why not present the user with a screen that basically says "hey, your password hasn't been changed in __ time, you'll need to fix that now to access the system" when they log in after the set time period?
> password simplification is a user choice, not a causal effect
The two are not mutually exclusive. If you require users to change passwords regularly, and also make sure the new password is sufficiently different from the last one (like, most characters must be different or something), guess what the users are likely to choose of their own so called free will.
And I'm not even speaking of how you must store a password to be able to tell that a new password is sufficiently different from all the old ones. (Hint: probably plaintext.)
> […] "forced" password expiration [is] often the only way to ensure that the end user actually updates their password regularly.
That does not work. I have defeated it in my last gig with this simple method:
And I will do it again, because a complex password that never changes is much more secure than random crap that I will have to simplify just so I can remember it. Also good luck trying to defeat my strategy (or similar strategies) without storing more than a hash of the password, properly generated with a memory hard function like Argon2.
> Also good luck trying to defeat my strategy (or similar strategies) without storing more than a hash of the password
Enter Old Password: Complicatedpassword1
Enter New Password: Complicatedpassword2
Sorry, your new password is too similar to your old password.
(Passwords are still stored and verified using hashing, but with a form like this, your most recent and new passwords are available in plaintext for comparison when you make the change.)
And if that fails, they win. Clearly they don't care about security, so I'll use a weaker password. And I will note it on a post-it and keep it in my wallet.
> it's often the only way to ensure that the end user actually updates their password regularly
It is fair to point out that the relevance of this is dependent on your attack model. If you suspect someone is trying to crack your password then just a longer password is fine. If you suspect a leak then you actually need to change/update password.
This is largely true, but we also exist in a day and age where computing clusters can fire off billions of guesses per second. Anything less than 16 digits takes a questionably small amount of time in comparison, when paired with some of the more advanced attack vectors.
This is the wrong argument here. With regards to brute force attacks changing password is only relevant if the attack time is comparable to the password turnover. If it takes one week to crack a simple password but you only change it every six month then you have ~1/24 chance to actually increase the attack time.
2FA is the solution. That way the password is only to protect against someone who physically has access to your keyfob (nosey coworker, thief, etc). Thinking of passwords as the solution to protect against sophisticated actors is the mistake.
I'd prefer 2FA and (allowing / encouraging) longer / stronger passwords over change policies.