I didn't realize just how much I blamed Microsoft for the current state of passwords until I sat down to write about their "passwordless future": https://puri.sm/posts/microsoft-ruined-passwords-now-aims-for-a-passwordless-future/
@kyle If I'm synopsizing this correctly: Microsoft bad because Microsoft encoded password-rotation recommendations into default AD policy.
That's ... a stretch.
And I'm no fan of Microsoft.
1) Password rotation recommendations go back a long way, and were considered best practices for decades. I remember them from the 1990s, and well before AD was a A Thing. AFAIU a some point they were recommended through entities such as NIST.
1/
2) Enshrining recommendations in code is what we want, usually, as it is the best way to achieve conformance. Enshrining bad or outdated recommendations in code ... is where problems start.
The AD situation seems the latter.
The larger problem seems to be that AD has acheived longevity, and there's no good way to propagate new policy recommendations to existing systems.
2/
@kyle NB: I checkecd my old copy of PUIS (Garfinkel & Spafford), 2nd edition, published in 1996. That says a fair bit on passwords, and discusses forced changes (a systems administrator option), though not timed expiry. It does discuss a whole bunch of distressingly familiar issues on the use of passwords which were already well-known problems ... twenty-five years ago.
Evi Nemeth (RIP) in the UNIX System Administration Handbook 2nd ed, (1995) has a discussion of password aging (automated timed-out passwords) on pages 95 & 544. She's not a fan, but the capabilitiy exists and is noted on Solaris, Irix, and BSDI. She does recommend rotating the root password regularly.
But again: Microsoft isn't the source of the problem here.
(As of 1995, Microsoft systems were all single-user and had ... precisely NO passwords....)
3/
@dredmorbius Summary is:
1. MS (and AD) strongly contributed to and enabled a culture of bad passwords. While they didn't invent bad password policy, their defaults and recs became gospel to many IT admin and AD enabled bad policy to scale, training a generation of computer users to make bad passwords.
2. "Passwordless future" enables vendor control of hardware, as auth is strongly tied to hardware security, which is anchored in trusted (signed by MS) software.
@kyle Point 1 is taken though that's still more a concern of enshrining bad and especially outdated policy.
Good policy is good. Bad policy is bad. Good policy administration is keeping tabs on when good policy becomes bad and fixing it.
I agree on your points re: passwordless future and lockin where that's based on devices. Keep in mind that Apple, Google, and Amazon are all racing down this path as well ("swipe" payments with smartphones, Siri, and Alexa, etc.)
That's an issue with lock-in. See Shapiro and Varian's late 1990s book, Information Rules.
(Note that Varian is now chief economist tat Google. Go figure.)
@kyle Better than passwords and the mess FGAM are pushing for would have been PKI.
@kyle let's not forget, we can also thank Microsoft foisting HTML in email upon us all. Now *that* was a bad idea.
@kyle I mean - when a near-monopoly behaves irresponsibly the consequences are non-trivial. Good read and a fair position to take.