Good afternoon to everyone except for the credit-card platforms that make you change your username every time a card is compromised.
Your username.
Guess what memory-challenged users do when faced with "must be unique" pressures.
They start to swap memorable strings between what's in the username and what's in their passwords (across other platforms, because reuse).
Don't force users to change their usernames in response to a security event.
On a related topic.
I tell people to use long passwords they can remember, to make sure they don't write them down.
The response is sad, and predictable...
Don't put arbitrary constraints on passwords that make them harder to remember, or easier to guess by an computer.
@ekg @tychotithonus I try to do this.
The password rotation is what breaks me. Especially for the ones I rarely use.
I can only come up with so many long, memorable phrases that will tell me exactly which account the password is for before it just begins to jumble.
@Epic_Null @tychotithonus the "correct" solution to password rotation is to rotate the salt not the passphrases. By for example using the last login id as the salt you can generate a new hash every login, while not forcing your users to memorise a new password.
@ekg
Unfortunately, since the salt has to be stored with the hash, then once I crack a user's password, it would stay cracked forever.
@Epic_Null
I begin with the assumption that we can't force users to change passwords. That means we inherently have to accept that risk.
The only real solution to the problem of the passphrases itself being knowable is information.
Giving that we can't control where a user might have used their passphrases, forcing an actual passphrases change is at best an bandaid. That is likely to induce users to once again write down their passwords.
I should probably write what I think is the "real" solution.
The way I would like to solve this problem, that users might use compromised passwords, is a "red team" bot. That would try naive dictionary attacks against high risk accounts, when it break the passphrases the user would be informed that their passphrases is naively crackable.
This would of course require the accusation of passphrases dictionaries.
