Is it insecure for an app to report how many days are left before current password expires?
Is it insecure for an app to report how many da开发者_如何学运维ys are left before current password expires?
For example, if passwords expire every 30 days, if the app told you that your password will expire in 5 days (after you have logged in of course).
Or, is it possible that the app could store a cookie that tells the app to start suggesting a password change 3 days before the password expires?
Would either of these be considered bad practice?
See Bruce Schneier's blog post on Changing Passwords.
The main reason for password expiry is to make compromised passwords expire; telling the user (or the attacker) that it'll expire doesn't change this. What it does do is tell the attacker to compromise something else before the deadline; whether this is a risk depends on whether there are such attackers (I'd expect the first thing to do would be to install a rootkit).
The security benefit is that the user is given some amount of time (e.g. a week) to think of a new password. I can come up with a half-decent password in a minute or two, provided I'm not in a rush to get work done; otherwise I'd just increment a counter on the end. Everyone does this.
My feeling is that the benefit of effectively saying "at some point in the next week, think of a new password" outweighs the potential risks, but 30 days is far too short. There are only a handful of passwords that I actually need to remember (phone, laptop+root, home server+root, work computer+server, password safe); changing any of these is tedious.
There are various ways of ensuring that users don't choose passwords related to old passwords; none of them are particularly good.
I think that if you need to tell the user that the password expires in so many days, you should make a page that appears after the login has been completed.
For example, if you have one page that is your login form, then after that it goes to another script that redirects to the home page on successful login.
Instead of immediately redirecting, you could use <meta http-equiv="refresh" content="5; URL=/">
on the page to give the user five seconds to read the page and show how many days the user has until their password expires.
But make sure the message is only shown after login, otherwise a hacker can read the contents of the login page to find out when their password needs changing.
Ad@m
I don't think it's insecure to tell the user when their password expires - at least I cannot see how it can realistically aid an attacker. It's common practice in any case - as adam mentions, Windows itself does that.
精彩评论