Post AurkT3LCMY26I4VBgW by denschub@mastodon.schub.social
(DIR) More posts by denschub@mastodon.schub.social
(DIR) Post #AurkJWGpwqNl7OurKq by denschub@mastodon.schub.social
2025-06-06T21:16:49Z
0 likes, 0 repeats
German "Internet" experts in a nutshell: InterNetX, one of the biggest domain registrars, part of United Internet (the enterprise also owning 1und1) has now introduced their latest "security enhancement":Automatically expiring passwords.Almost a decade after the internet world agreed that those are an impressively stupid idea.I'm so incredibly tired.
(DIR) Post #AurkJXFoI99gAVRYNE by tuxicoman@social.jesuislibre.net
2025-06-06T21:19:00Z
0 likes, 0 repeats
@denschub what is stupid? Password/token or secret/token expiration ?
(DIR) Post #AurkT3LCMY26I4VBgW by denschub@mastodon.schub.social
2025-06-06T21:20:45Z
0 likes, 0 repeats
@tuxicoman automatically expiring passwords.NIST realized that in 2016. Even the BSI realized how stupid that is and started recommending against that policy in 2020. And now, 5 years after the BSI said "hey let's stop doing that", the "experts" at InterNetX decided to start doing that.
(DIR) Post #Aurl5PNuqvAlf83w4O by tuxicoman@social.jesuislibre.net
2025-06-06T21:27:41Z
0 likes, 0 repeats
@denschub I agree it's painful (break workflow) and not efficient if people use a pattern.What is the current recommended pattern?I use otp with a device.
(DIR) Post #AurlwVoJgyL6wJjVGS by denschub@mastodon.schub.social
2025-06-06T21:37:17Z
0 likes, 0 repeats
@tuxicoman the current "recommended pattern" is not to let passwords expire automatically and not to force users to "regularly" change passwords.That stands all on its own, it's completely irrelevant to any 2fa discussion. The current 2fa recommendation can be found in this German PDF (which I do not agree with, but that's besides the point).
(DIR) Post #AurmwaCTTI4sVYd89g by tuxicoman@social.jesuislibre.net
2025-06-06T21:48:31Z
0 likes, 0 repeats
@denschub ok thanks.