https://xkcd.com/2869

Alt text:

Why couldn’t the amulet have been hidden by Aunt Alice, who understands modern key exchange algorithms?

  • @LwL
    link
    English
    3
    edit-2
    1 year ago

    Yes, password expiry is generally considered bad practice and should only be triggered on demand if there’s suspicion of a security breach, precisely because it’s much more likely to lead to simple, less secure passwords. And when users change it, they will probably just add a number or something anyway, so it’s not going to stop a determined attacker from finding the new pw regardless.

    Which doesn’t stop a ton of organizations from requiring it anyway.