I didn't realize just how much I blamed Microsoft for the current state of passwords until I sat down to write about their "passwordless future": https://puri.sm/posts/microsoft-ruined-passwords-now-aims-for-a-passwordless-future/
@kyle I mean - when a near-monopoly behaves irresponsibly the consequences are non-trivial. Good read and a fair position to take.
@kyle If I'm synopsizing this correctly: Microsoft bad because Microsoft encoded password-rotation recommendations into default AD policy.
That's ... a stretch.
And I'm no fan of Microsoft.
1) Password rotation recommendations go back a long way, and were considered best practices for decades. I remember them from the 1990s, and well before AD was a A Thing. AFAIU a some point they were recommended through entities such as NIST.
2) Enshrining recommendations in code is what we want, usually, as it is the best way to achieve conformance. Enshrining bad or outdated recommendations in code ... is where problems start.
The AD situation seems the latter.
The larger problem seems to be that AD has acheived longevity, and there's no good way to propagate new policy recommendations to existing systems.
@kyle NB: I checkecd my old copy of PUIS (Garfinkel & Spafford), 2nd edition, published in 1996. That says a fair bit on passwords, and discusses forced changes (a systems administrator option), though not timed expiry. It does discuss a whole bunch of distressingly familiar issues on the use of passwords which were already well-known problems ... twenty-five years ago.
Evi Nemeth (RIP) in the UNIX System Administration Handbook 2nd ed, (1995) has a discussion of password aging (automated timed-out passwords) on pages 95 & 544. She's not a fan, but the capabilitiy exists and is noted on Solaris, Irix, and BSDI. She does recommend rotating the root password regularly.
But again: Microsoft isn't the source of the problem here.
(As of 1995, Microsoft systems were all single-user and had ... precisely NO passwords....)
@dredmorbius Summary is:
1. MS (and AD) strongly contributed to and enabled a culture of bad passwords. While they didn't invent bad password policy, their defaults and recs became gospel to many IT admin and AD enabled bad policy to scale, training a generation of computer users to make bad passwords.
2. "Passwordless future" enables vendor control of hardware, as auth is strongly tied to hardware security, which is anchored in trusted (signed by MS) software.
@kyle Point 1 is taken though that's still more a concern of enshrining bad and especially outdated policy.
Good policy is good. Bad policy is bad. Good policy administration is keeping tabs on when good policy becomes bad and fixing it.
I agree on your points re: passwordless future and lockin where that's based on devices. Keep in mind that Apple, Google, and Amazon are all racing down this path as well ("swipe" payments with smartphones, Siri, and Alexa, etc.)
That's an issue with lock-in. See Shapiro and Varian's late 1990s book, Information Rules.
(Note that Varian is now chief economist tat Google. Go figure.)
@kyle Better than passwords and the mess FGAM are pushing for would have been PKI.
@kyle @lightweight And all they needed to do to be doing it nicely was offloading local account verification to the password manager of your choice. (okay they'll default and pressure you to use your MS account, but as long as their was a real option for others I'd be okay with it)
But no, they are continuing to ignore antitrust laws because those laws are toothless.
@LovesTha @kyle to be fair, I think most organisations that should be keenly aware of vested and pecuinary interests are blithely unaware, to the point of corruption in many cases. (note 'vested' interest, i.e. having a personal stake in one or another outcome when expected to be neutral, and 'pecuniary', having a *financial* stake, are slightly different).
@LovesTha @kyle I see, too, that there's a whole area of "non-pecuniary interests", which are vested interests that are not pecuniary in nature :) - see the 2nd def here: https://www.lawinsider.com/dictionary/non-pecuniary-interest
@LovesTha @kyle given that, at the time, there were widely used alternatives (e.g. Word Perfect, which held on in legal circles longer than in any other business context) it seems like they should've avoided using the product against whose supplier they were adjudicating. Sadly, they weren't that ethical. And the US gov't (GWBush, the capitalist ideologue) apparently decided not to penalise Microsoft despite them, against all odds, being found guilty of criminal monopoly.
@LovesTha @kyle yup. As I've explained, our gov'ts have paid through the nose to be monopolised (and even held hostage) by Microsoft for a couple decades, which is pretty unforgivable, really, because I, as a lay person rather than someone whose professional role it was to be aware of these things, recognised it 20+ years ago. Here's more: https://davelane.nz/mshostage
@LovesTha @kyle ultimately, for politicians to be complicit - and I note the dominance and depths of gov't dependence on Microsoft is unprecedented in human history - is effectively corruption. They're knowingly digging the hole deeper with each procurement round. It's unforgivable incompetence, actively working against the interests of the taxpayer/citizen, and residents, not to mention communities.
@kyle let's not forget, we can also thank Microsoft foisting HTML in email upon us all. Now *that* was a bad idea.