Lets add a real example why this can be a good security improvement. But asking users to regularly change their password is a basic security rule, because passwords can be compromised without the user noticing that, and the only mitigation way is to change the (likely compromised) password. It means that what is essential is to educate users and have them accept the rules because we all know that rules can easily be by-passed, and that if a user does not agree with them it will not be cooperative.
If it is the password for holidays photos I would not care, but for something more important it does matter. And after one year (200 work days) we reach 87%! Ok, 1% may be high, and just start at 0.1% per day, only one on 1000, pretty negligible isn't it? But after 1 year (200 work days) the risk of begin compromised is almost 20% (18% to be honest). Assuming about 20 work days a month, the risk of being compromised in a quarter is of about 50% (1-(1- 1/100)^60)). Say you have a rather serious user and that the risk for his password to be compromised in one day is 1%. Just a trivial probabilistic analysis after comments saying that allowing users to never change their password is not a security problem. Said differently, it is just one attempt to force non cooperative users to change their password on a timely manner. But unfortunately the former is builtin in many systems while the latter is not. Ok, the rule could be the changing the password many times in one single day does not roll the last passwords list.
he changes it immediately back to the original one => hurrah, still same password which is clearly what the first rule was trying to prevent.he repeats the change immediately the number of saved passwords minus one.a user has to change his password because it has reached its time limit.
The one change per day rule is an attempt to avoid this trivial perversion: But it often comes in addition to another rule that says that the new password must be different from the n (generally 2 or 3) previous ones. By itself, the rule of only allowing one password change per day adds no security.
0 kommentar(er)
