office check-in

[cellio]

Before the pandemic, I went to the office every day, as one does. Our office manager did what he could to make it an ok environment, but it has the usual pathologies. Pandemic-induced working from home has been good for me in oh so many ways. I'm fortunate to be at a point in my career where I am quite comfortable telling my employer "I really do insist". (There's some pressure, mild so far.) I'll go to the office if there's a specific reason to, like the group outing we had a few months ago, but most of the people I work with aren't local, so going to the office is social, not productive.

On the day of that outing, I learned -- via a coworker finding out the hard way -- that corporate security disables badges that haven't been used in 90 days. That makes sense, though doing it silently isn't so great. Fortunately for me, I last changed my domain password around the time of that outing, so the "time to change your password" reminder serves double duty.

A few days ago I changed my password, and today I went to the office to wave a badge at a sensor. While I was there I cleared out the last of my personal belongings; demonstrably, I no longer need to keep an umbrella or a spare USB charging cable in my desk drawer there.

Comments

[(Anonymous)]

Forced password changes every 90 days? Ugh. Maybe you can point them at NIST SP 800-63B; I believe NIST was the source of the original "change passwords regularly" recommendation back in what, the 1970s? NIST refers to passwords as "memorized secrets", so section 5.1.1 is the one that applies here. Since a few years ago, per it, passwords should be >= 8 characters (with exceptions that probably don't apply in your situation), systems should allow passwords of at least 64 characters, not impose any other complexity criteria, and NOT require "arbitrary" (specifically exemplified with "periodically") password changes. As a mitigation against long-lived passwords, they instead recommend failure rate limiting, which most systems already do; it's why it takes a few seconds to get back an "incorrect username or password" even though when you type it correctly the system lets you straight in. They also suggest ways to mitigate password reuse.

https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

A long, high-entropy password or passphrase that is actually committed to memory is much better from a security point of view than one that has to be changed often and therefore likely won't be as complex simply because people are generally reluctant to have to commit new passwords to memory regularly.

As an example, a six- or seven-word Diceware passphrase provides 77-90 bits' worth of security (12.9 bits per word), which is plenty enough for just about any situation, is often eminently memorable, and takes only a few seconds to type once you have memorized it if you're a decent typist. Suppose someone knows that your password is a seven word Diceware passphrase generated using a particular word list; if they can try a billion possibilities per second (which is a pretty decent rate for an offline attack by a moderately powerful adversary, and completely unreasonably fast for an online attack), it will take the attacker upwards of 40 billion years to go through all possibilities; on average, they'll hit the right one in half that time. 2^90 (possibilities) / 10^9 (attempts per second) / (365*24*60*60) (seconds in a year) ~ 3.9 * 10^10 (years to completion). A highly motivated, powerful adversary might be able to raise that a few orders of magnitude, bringing the average time to completion down to, say, a few million years. No one is going to do that; they are going to try to get in through some other means where the complexity of the password doesn't matter.

/The Internet Dog

[cellio]

And what are the odds that the systems the passwords protect would even still be there in a mere few million years? I agree; their policy discourages strong passwords. For other internal systems (without a rotation policy) I've been using the same strong password for years, which I can remember and type easily, for better security.