rcdevs
Goto Top

How about swapping password rotation fatigue for real-time leak detection?

Hi there!

Traditional password rotation policies, while meant to enhance security, can lead to user fatigue and even weaker security as users struggle to keep up with frequent changes. Instead, real-time password leak detection offers a more effective and user-friendly approach. By actively monitoring for compromised credentials, real-time checks alert users the moment a password is detected in a data breach. This proactive approach minimizes disruption, enhances security, and provides peace of mind, all without the burden of constant password changes.
Is real-time leak detection the future of password management? What do you think?

Content-ID: 669486

Url: https://administrator.de/en/how-about-swapping-password-rotation-fatigue-for-real-time-leak-detection-669486.html

Ausgedruckt am: 28.01.2025 um 22:01 Uhr

kpunkt
kpunkt 14.11.2024 aktualisiert um 11:51:01 Uhr
Goto Top
Nah....How real-time is real-time? And who notices the data breach? If it's breached by capable people, it will take months for the breach to be discovered.
The problem is not the management of passwords, but the passwords themselves.
150940
150940 14.11.2024 um 11:51:15 Uhr
Goto Top
Spam Spam Spam ...
kpunkt
kpunkt 14.11.2024 um 11:53:10 Uhr
Goto Top
Yes, but he was stupid to put the link in. So you can just do it for him...
150940
150940 14.11.2024 aktualisiert um 11:53:52 Uhr
Goto Top
Quote from @kpunkt:

Yes, but he was stupid to put the link in.
It will come.
tomolpi
tomolpi 14.11.2024 um 11:54:54 Uhr
Goto Top
Quote from @150940:
Quote from @kpunkt:

Yes, but he was too stupid to put the link in.
It will come.
The moderator monitors this 😉
rcdevs
rcdevs 14.11.2024 um 12:01:36 Uhr
Goto Top
The system checks passwords against a database of millions of known weak or leaked passwords. The process starts with locally hashing the user's password. Only the first five characters of the hash are then transmitted and a service compares this partial hash to its database and returns possible matches, allowing verification if the full hash is compromised locally.
150940
150940 14.11.2024 aktualisiert um 12:24:00 Uhr
Goto Top
So which system do you recommend?
rcdevs
rcdevs 14.11.2024 um 12:28:59 Uhr
Goto Top
We implemented this in the OpenOTP server, but the purpose of the post was to gather feedback on whether it would be beneficial for companies and users (for users for sure) to replace the traditional password rotation routine with this type of mechanism.
150940
150940 14.11.2024 aktualisiert um 12:34:52 Uhr
Goto Top
I told you so... self-promotion.
rcdevs
rcdevs 14.11.2024 um 12:40:34 Uhr
Goto Top
You asked, I replied.
Your comments aren't really relevant. face-smile
Other solutions, like Google and Apple, also offer similar features for personal accounts.
Would companies change their minds with this kind of feature... Here is the question
kpunkt
kpunkt 14.11.2024 um 12:46:35 Uhr
Goto Top
C.R.S.
C.R.S. 14.11.2024 um 16:19:29 Uhr
Goto Top
Quote from @rcdevs:

Is real-time leak detection the future of password management? What do you think?

No, because it confuses different threats and precautions, putting the latter into a context in which they are not effective.
Checking against known and weak password DBs is primarily a password quality measurement applied during password creation. It can be used for the suggested monitoring purpose, if it is considered that it detects password leaks with the considerable time delay that it takes to collect leaked passwords in the wild, that it should be expected to detect password re-use or mass psychology rather than leakage from the monitored source, and that traded leaked password databases are basically leftovers for which the skilled attacker who initially obtained the database has no further use.

Indeed, if you actually detect a data breach of the monitored source, an ad-hoc rotation (among other means) would counter that. Regular password rotation, on the other hand, is not meant to protect against such data breaches but to counter the time decay in confidentiality that affects passwords which are subject to systematic risk of disclosure, i.e. entered manually. These passwords are usually picked up through shoulder surfing or CCTV and never make it into a database release; and in most cases they are never used for malicious purposes, but with confidentiality as a key requirement for a password, you want to re-establish it from time to time.
rcdevs
rcdevs 15.11.2024 um 10:51:38 Uhr
Goto Top
Thank you, @c.r.s., for your pertinent answer! 😊