Home » Forums » Discussions (Archive) » The Wish List (Archive)
» Expiring Password

Expiring Password

Submitted by swbrains on 1 Mar 2009

The expiring password is a real annoyance. I've gotten to where used all my "favorite" passwords that I use for most of my accounts. Yes, yes, I know that in a perfect world we'd all use a unique password for every online account, but let's be real -- most people aren't doing that.

And I know it's impossible to argue for a "lower" level of security such as permanent non-expiring passwords, but consider this: I have several online BANKING accounts at very large national banks and one with a very well-known investment firm. Neither of them, nor any of my online utility billing accounts, or ANY of my other "financial" accountsincluding several CREDIT CARD accounts has ever expired my passwords.

Again I realize any argument for "less" security cannot be won. But let's look at what happens in reality: I go through all my memorable passwords and start using random passwords that I can't remember. You might say, "that;'s better if they're unique and random" but here's what really happens. I start using passwords that are random and I can't remember them, so I now have to write them down or store them on my PC in a document so I can look them up. That makes them LESS secure. Or, I constantly have to ask for a password reset ot reminder, in which case my current password or the reset password has to be sent to me in a clear-text email -- also insecure. So I'm not sure requiring password changes and not allowing reuse of passwords is that much more secure. It's certainly less convenient.

You could argue that with our money on the line, it's required to maintain an acceptable level of security. But I would argue in 15 years of online bank and billing accounts accessed online with non-expriing passwords, i've never had an account hacked. I think there's a level of reasonableness at which you don't need to go to extraordinary measures. If you're going to say that expiring passwords are absolutely required for acceptable security, I'd argue that if that's true, then why stop there? You need to go even further. Never send a password reminder or password reset via email, add personal image verification to the login page to thwart phishing of login pages, etc. We can take this to the Nth degree. But if major national banks, investment firms, and major national credit card companies don't require it, my guess is they're probably doing some pretty reasonable security analysis with professional security analysts and have found that non-expiring passwords are not posing a significant risk of account hacking.

If you still don't agree with this, then at least give the vendors an option as to whether we want our passwords to expire. That way, those who feel this is absolutely neceessary for acceptable security can use it. Those who feel that SSL pages with a user ID and password is acceptable on it's own can opt to not use it.

Anyway, just my two cents on this annoying requirement.

‹ Report: New sales vs. recurring transactions Suggestion for Vendor Notes on Vendor CP ›

Interesting point of view

Submitted by Derek on 2 Mar 2009.

We would definitely like to hear from other Plimus platform users on this. Just to clarify .. the comments relate to the administration system not the community. 

Yes, I am referring to the

Submitted by swbrains on 3 Mar 2009.

Yes, I am referring to the vendor admin section. I would really hate to think you're expiring passwords on the community section as well -- it;s really not needed here.

Also, please consider that removing the expiration feature or making it optional doesn't stop vendors from changing their password every day if they really like that level of security. My guess is that for those who want the extra protection, they're already changing their passwords without needing to be forced.

Really annoying and nonsense

Submitted by RTT on 3 Mar 2009.

I agree. Expiring password feature is really annoying and imho nonsense in this context.
Good to defeat brute force attacks, but because web interface is used, this type of attack is not feasible and can be effectively prevented with other techniques, probably already in use by login system
The usual way a hacker can get access to this type of HTTPS interface passwords is by using phishing techniques, or from saved passwords lists (after system invasion) and all this is user responsibility.
Expiring the password will be effective only if hacker has the bad luck of trying to access just after user changed password :-)

indeed annoying

Submitted by 3DRT on 3 Mar 2009.

I don't get this feature. Is it security measure? Just regularly spam a reminder for vendors to change passwords. DON'T force them to do it.
I really had some problem with password changing in recent years. Couple times system was refusing to accept neither new nor old password.
It definitely should be removed.

Password Security

Submitted by Derek on 10 Mar 2009.

Here's a quote from the Federal Reserve about online banking password security:
"Passwords or personal identification numbers
(PINs)should be used when accessing an account
online.Your password should be unique to you and
you should change it regularly. Do not use birthdates
or other numbers or words that may be easy for
others to guess.Be careful who you give your
password to.For example,if you use a financial
company that requires your passwords in order to
gather your financial data from various sources,
make sure you learn about the company’s privacy
and security practices."
The full document can be accessed here: www.newyorkfed.org/education/addpub/safeinternet.pdf
 
In the very unlikely event that a password is intercepted or an account hacked, our belief is that any insurance or indemnity claim will be aided if Plimus can demonstrate on our client's behalf that a high level of care was taken in terms of password administration.
 
Let's play as safe as we can, even if that means a small level of discomfort every few months.
 
There's a lot of money at stake. Here's a quote from a random article on the subject..

"The average loss per case from online banking fraud is about $30,000, according to the Federal Deposit Insurance Corp. In just three months of 2007, hackers stole nearly $16 million from U.S. residents."
Source AARP.org
Derek, Plimus
 
 

I understand...

Submitted by swbrains on 11 Mar 2009.

I understand your point. I just guess that several major national banks and investment firms don't. ;-)

Additionally, the article suggests that *customers* change their passwords. *Forcing* them to do it is another story.

I do understand your liability. But my guess is that national banks and investment firms probably have a little more on the line when it comes to secuirty liability.

Finally, if liability is the primary issue, then we could extrapolate the necessary restrictions ad nauseum. For example, why not add requirements such as no valid dictionary words (I've seen this before!), must have letters and numbers, must be at least 12 characters long (longer is better with passwords, right?), add personal image verification to the login page to avoid phishing attempts...

The point is, there needs to be a reasonableness test, and as I mentioned earlier -- and I think most would agree -- after we use up our favorite passwords, people will start using password1, password2, etc. Ultimately much less secure than not changing your password, ever.

Like I said, it's easy to find lots of docs that say lowering security requirements is bad. Everyone agrees. It's a question of where you stop and what's reasonable. Why not provide an option to the vendor as to how many days until expiration. Then if the vendor sets it to 99999, you can always use that info against him in court if his account gets hacked and he sues. ;-)

PS: The AARP article refefencing the loss amounts for online hacking is impressive, but it's technically irrelevent to this discussion. We all know bank accounts are hacked every day. The article fails to specify how many of those events would have been avoided specifically by customers changing their passwords more frequently.

Additionally, while the article mentions choosing a "better" password (restrictions Plimus currently DOESN'T implement) such as requiring upper/lower case and mixing in letters, numbers, and symbols, it ironically doesn't mention changing your password frequently.

Ditto

Submitted by RTT on 12 Mar 2009.

Adding password strength rules, enforcing user to define a more secure password, is the only think needed.

Periodically bother users to change passwords will not increase security, and it's not because it is write somewhere we believe it's true.

But Plimus can add a reminder, telling user he is using the same password for some time, and will be better if he change it. He can just ignore it, or accept the advise.

I agree that forcing me to

Submitted by owentech on 28 Mar 2009.

I agree that forcing me to come up with new passwords every now and again is quite a bother. I really will be unable to remember the passwords at some point.
I agree that plimus should remind us to change our passwords, but leave the choice (and risk) to me. At the very least, I should be able to recycle my passowrds if I want.

In fact, this complaint is one of the reasons i joined this forum today :-)

I agree

Submitted by Jeff on 31 Mar 2009.

I agree with the general consensus here. I'm not opposed to forcing the password change as long as we're allowed to use previous passwords.

Also, it would be nice if we didn't have to login each time and a "remember me" option was provided. As I recall, the login form used to remember the Username, which was at least something.