Unless you are REAL stupid levels of lucky to have one of the mandatory password changes the day after a compromise that you werent aware of, all mandatory regular password changes do is make people use less secure passwords.
Technically it reduces the window for a successful brute force.
That said, it comes with serious drawbacks. Mainly making them impossible to memorize, so then users end up just writing them on post-its and putting them on their monitor. Or other equally dumb things.
“Security theatre” is what I’ve named the contact in my work phone for the call center I have to call every time I accidentally use the “one time password” more than once (because god forbid they implement proper SSO, meaning I have to do a shotgun login run every morning). When I call them all I tell them is my name and that my account is locked.They click a button and we’re back. Complete waste of time on everyone’s part.
I never understood the purpose of this.
Unless you are REAL stupid levels of lucky to have one of the mandatory password changes the day after a compromise that you werent aware of, all mandatory regular password changes do is make people use less secure passwords.
Technically it reduces the window for a successful brute force.
That said, it comes with serious drawbacks. Mainly making them impossible to memorize, so then users end up just writing them on post-its and putting them on their monitor. Or other equally dumb things.
There’s no purpose. It’s 100% security theatre.
“Security theatre” is what I’ve named the contact in my work phone for the call center I have to call every time I accidentally use the “one time password” more than once (because god forbid they implement proper SSO, meaning I have to do a shotgun login run every morning). When I call them all I tell them is my name and that my account is locked.They click a button and we’re back. Complete waste of time on everyone’s part.