I have been bitching about this for ages. Time to rethink mandatory
password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
Use a *different* password at every site (domain). Not some
transformation of the same password but a completely different one.
Use a *different* password at every host (unless it's a workstation on a
domain and you want to reuse your user profile from the PDC).
You could use software but then have to trust someone else with your
passwords, unless they are locally encrypted using a passphrase you
choose (but then you have to remember the passphrase). I prefer to use
an algorithm that I can remember, so I don't need to install the
software (not an option if a host is not your property) everywhere I go.
Always use strong passwords. Not something stupid, like in the Comcast
commercial where the parents tell their kid to set "YouMustStillVisitUs"
as their password.
Don't save passwords in software (e.g., web browsers) other than on the
hosts to which only you have physical access.
Use a different password for the system (BIOS) and OS login. When using
a system password, lock the case.
Don't bother with an automatic expiration of passwords configured in the
OS. That encourages uses to create new passwords that are similar to
their old passwords, or to use simple passwords that they can remember.
If someone leaves a company, the sysadmin should be disabling their
account, not rely on eventual expiration of that employee's password.
Forcing users to keep changing passwords not only provokes them into
using simple and memorable passwords that are more easily hacked but
also prods them into leaving cheatsheets around with a list of their
passwords. Walk around to see how many employees have recorded their
passwords on a sticky note stuck to the bottom of their keyboard or the
side of a desk drawer that can be seen when the drawer is opened.
Expiration of passwords also impacts productivity. A user cannot login
to do their work. A presentation is interrupted by the orator has to
create a new password (that they may not remember having to do it in a
hurry and on-the-fly) to continue the presentation. If the lock on your
shed shows no signs of tampering, do you change the lock every month?
If the ex-employee was logging into the domain, the sysadmin disables
the roaming profile on the PDC. If the ex-employee has local admin
privileges on a workstation, the sysadmin will have to physically visit
that ex-employee's workstations to login using the sysadmin's
admin-level account to disable the ex-employee's admin-level accounts.
Social engineering still works. Some sites will require users to enter
a CAPTCHA string before a visitor can see some content they want (e.g.,
porn sites where visitors will jump through hoops to see the porn).
These CAPTCHA images are grabbed from other sites and then presented to
the visitor of the porn site. They use the intelligence of their
visitors to break the CAPTCHAs at other sites. CAPTCHAs that are merely
arithmetic strings are stupid as those can be simply copied (from the
display or from the web page code) and then pasted into a calculator
app. Many CAPTCHAs have audio playback. Well, even you know when
calling some call center that they use software that can recognize what
you say instead of relying on you pressing buttons on the phone.
CAPTHCAs aren't secure. They were never meant to be a form of security.
They are to differentiate between humans and bots. Using CAPTCHAs for
logins is to nuisance a user by interrupting a login, so the user thinks
there is added security. Any site can use a login that logarithmically
increases the interval between retries making it take unbearably long,
especially for computers trying to hack, to perform multiple retries.
https://www.sitepoint.com/captcha-are-not-a-security-measure/
Also, no matter how long is the bitlength of a passphrase or how
convoluted the hashing algorithm, you're relying on chance that a hacker
doesn't get your password. They could succeed on the very first attempt
even when using random strings. That's how probability works.