PCI is nothing more than Security Theater so Mastercard and visa can claim it is all the merchants fault for data breaches and shield them from any liability
SSNs are identifiers and when knowledge of SSN gets you some privileges, it's problem with whatever gives you these privileges. Card numbers are on the other hand essentially explicitly designed to be used as authentication data and at the same time printed in big letters on the card and known by all parties involved in transaction.
My passwords are always surprised or overly enthusiastic. MyPassword123! Soon becomes MyPassword123!! And then as I progress in the company my enthusiasm gets even more hyper MyPassword!!!!!
It's fun to know that almost every requirement usually gets solved by capitalizing the first letter, by prefixing or postfixing the number 1, but using the "!"... and that's what the majority does.
If your password is compromised, you've already lost. Since password rotation policies incentivize weak passwords, they are more likely to result in a compromised password. Thus, password rotation with weak passwords is not better than a single strong password that is never rotated.
Now that I think about it "Don't worry about detecting attackers, they will get kicked out when we next rotate passwords" is not an attitude you want anyone to develop.
Plus, chances are pretty good that if they compromised one password undetected, they can compromise the next one in the same way (spear phishing, malware, etc.).
I have previously worked in the gambling industry. The worst nightmare of any gambling device manufacturer is a group of people that discover a bug and exploit it on small scale - no one will bat an eye and investigate if a machine pays out 50 bucks more or less.
However, in most cases people are dumb, greedy or the combination of both - e.g. in February 2014, a concerted mass hack occurred across Germany and over 10M € were reported as losses (http://www.spiegel.de/spiegel/print/d-126511954.html), and most other bugs surface fairly quickly because people exploit them until the machines run dry and the owner/manufacturer inspects them.
So, in the case of gambling machines/casinos, a small-scale hidden compromise is far worse than a "big blow" - thankfully for the industry, greed usually prevails over common sense.
There are quite a few scenarios where a sustained, hidden compromise is an (or several) order of magnitude worse than a one time obvious compromise.
The first to come to mind is a corporate espionage scenario. Do you want to know what your competitor is up to today, or do you want access to their briefings/CAD/code for the next 12 months? Long duration compromises also allow you to slip data out slowly, so a NAS doesn't show 200GB being transferred off in a matter of hours, but a slow drip of 100MB a day.
At a personal/home use level, long term access to a bank account allows an attacker to build up a spending profile, which depending on your habits, could be used for blackmail.
Password rotation doesn't fix that because the difference between myLongPassWordThatDoesntChange and myLongPassWordThatRotates7 is effectively meaningless. An adversary who has your current password can almost certainly guess your next one because changing the 7 to an 8 is a pretty obvious step, and it's one that most people do when forced to rotate.
Forcing password rotation guarantees that most people will just use the shortest possible password and stick some rotating suffix on it because your policy is pointless and annoying. You make yourself the adversary when you enforce policies like this and people stop trying to be secure and just try to get on with life.
The reality is that passwords are being deprecated as strong security boundaries.
We've been working under this fantasy that it's acceptable to make a "strong" password and have a meaningful expectation that you can maintain the security and integrity of access. Multi factor authentication is the best solution to this problem -- a moderately complex password with MFA is stinger than a password.
If you want to compromise somebody long-term, you move laterally within the targets network and infect multiple devices.
Anecdotal and only related to your last paragraph, but as a security researcher I can say that 99% of the time attacks on a personal bank account are never "long term." Most of time, regardless of skill, hackers get in, cash out and disappear. It's far more lucrative (and generally safer) to empty the account than try to blackmail someone based on spending habits.
I happen to know of a bank exploit in which the attackers compromised one thousand online accounts, and attacked all them (transferring funds) on the same day.
Presumably the attackers were worried that after several transfers the bank would notice and block further access, so they kept a roster of compromised accounts to attack all at once. I suppose that a password rotation policy would have helped mitigate damage in this case, though something like fail2ban or automated IDS would have been better.
again if your corp doesn't have a policy for off-boarding employees and removing their access then you've failed. If your corp doesn't have a policy of not having shared accounts then you've failed... if you are forced to have shared accounts then you need to have in your off-boarding policy that anyone who had access (which was a purely need to know basis) once off-boarded would trigger that password change.
The point being that what you are seeing as benefits of password expiration are better achieved with proper polices that management and HR operate under... while password expiration may in some ways help you achieve your goal in a lazy manner it also opens you to ALL your employee's using weaker passwords and giving you way more attack points than the off chance that someone decides to not follow the policies you established above.
Also none of those policies require an "IT pro" ... implementing them might, but understanding the goal of the policy and putting them into place is something any good management team should be able to accomplish.
I agree with you in principal, but is also important to remember that policy != practice. For a policy against shared accounts, for example, there is no reasonable way to guarantee that Employee A has not given his password to Fired Employee B.
Unless you can only change on a pre-defined interval, the attacker can always change your password for you to avoid being locked out. I don't know many users who would complain their their password seemingly never expired.
These are often combined with a requirement to not reuse some number of recent passwords, so the attacker can't change the password right back again. When you can't log in then your password will be reset and they've lost access.
I thought PCI compliance required you to follow A standard (they didn't dictate which one) as long as it was a recognized industry standard and you were consistent with it. NIST would qualify...
We're going through various audits for PCI right now. Our auditor insisted that we need to add checks for reuse of recent passwords.
However, I've heard that the process varies widely depending on who your auditors are. Some are apparently very permissive, but we got the other end of the spectrum.
