Something I’ve wished companies would do: publish (on an internal site) all of their employees’ previous passwords each time they’re rotated. Users would be compelled to create better passwords out of sheer embarrassment/competitive spirit.
Yes, that was my initial thought on how to make this possible. In my case, the company where I contract has a dedicated application (on Mac, at least) for password changes: record the old password and share it once the new password has taken effect.
The last password, to be posted, could be stored in plain text on the password change form submit action. Before that it is only ever committed to permanent storage as a hash.
Wouldn't that just be another attack surface? Chances are some of those rotated passwords may be used in other sites and this just exposes the company and the user to additional risk.
It gives added incentive to the company to make sure all of their internal passwords are managed via SSO so the users don’t continue to use a password on non-integrated systems after it’s rotated centrally.
And as long as employees are warned in advance, they should be aware of the risk of re-using passwords, which already exists today. If anything, this highlights the fact that if employees are using their company password for some other service, they’re placing their employer at risk.
I generally use unique passwords for everything, but I worked many years at a company with a 3-month password rotation policy, and coming up with high-entropy yet memorable passwords was sufficient work that many accounts on machines on my home network used some retired passwords from there.
Policies like this one is what makes people write their passwords on post it notes. It's hard to create new memorable passwords every month or two so people will either keep using a pattern or be forced to write it down on paper. MFA is the way to go.
Anecdotal but I worked for a non tech company over a decade ago that had a monthly password change policy. When I started at the company my desk wasn't ready the first day so I was seated on the workstation of another employee who was in vacation. First thing I saw was his password on a post it under the keyboard.
I worked at a place that had such policies; it is a national engineering lab. They are owned (mostly, some are joint ventures with universities) by the Department of Energy (who builds and owns America's nukes - they're just leased to the Dept of Defense). While my lab had nothing to do with nukes, some of the other labs made them. So we got many of the same security policies that Los Alamos had. Which meant it took me about 45 minutes to figure out a new password that wasn't too close to one I previously used, nor did it have a 3+ letter word in any language (I have no clue which languages they tracked) forwards or backwards.
If companies want us to stop incrementing a number (guilty!) or writing our passwords on post-its stuck on our monitors, they should stop requiring us to change our passwords every freaking month. I think it was only in 2021 that NIST suggested the password change frequency should be yearly.
I think NIST has actually recommended against forced rotation of passwords (unless they are breached) since at least 2017.
"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."
- NIST SP-800-63B Digital Identity Guidelines - Authentication and Lifecycle Management
--
A large part of me wishes they made this a SHALL NOT. It would have caused chaos with other standards, but it would have been the right thing to do.
You underestimate how much people care about a revealed password. I've definitely heard water cooler talk about how some have "beat the system" by using a certain password (That they just tell the person they're talking to!) and the year.
