Unless you can *only* change on a pre-defined interval, the attacker can always ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

freehunter on Nov 22, 2016 | parent | context | favorite | on: NIST’s new password rules – what you need to know

Unless you can only change on a pre-defined interval, the attacker can always change your password for you to avoid being locked out. I don't know many users who would complain their their password seemingly never expired.

mark-r on Nov 23, 2016 [–]

These are often combined with a requirement to not reuse some number of recent passwords, so the attacker can't change the password right back again. When you can't log in then your password will be reset and they've lost access.

freehunter on Nov 23, 2016 | [–]

That's true, I hadn't thought of that. Holiday week has my brain off in the clouds.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact