Security → Customers baffled as Citrix forces password changes for Sharefile

»www.theregister.co.uk/20 ··· arefile/

quote:

---

Citrix says there is no reason to panic after it asked customers to reset their passwords on its Sharefile service. The file-dropping service rang in the new month with the announcement that it would begin regularly requiring users to change out their passwords. That new policy will begin this week, as all users are being asked to reset. According to Citrix, there's no specific data breach or incident behind the move, but rather an intent to get out ahead of hackers who are farming leaked passwords from other breaches and trying them with Sharefile. While Citrix posted the new policy on its status page over the weekend, many customers did not get the news and, when greeted Monday with a reset request, were rightly concerned that something was not right.

---

Just with all the breachs lately, then there's this... "improved" security, or kneejerk / firefighting reaction? Sharing out of general Security interest.

Regards

Funny thing about changing passwords ... if there has been no breach, and you have a good password, why the need to change it?

Related: Certain systems enforce password complexity and mandatory password change intervals (say, 90 days). Assuming you have a strong password, how does an adversary "know" that your password is 91 days old, and how is a strong and secure 90-day old password any better than a 91-day old password?

Ya, the current NIST recommendation is no expiration, but to support the full Unicode character set.

Santity. Now if only some of my accounts would follow said recommendation.

It at least gave me leverage to up the expiration to something more user friendly.

Maybe because a lot of people reuse passwords on multiple sites, and some of those sites are easily hacked and the password lists leak out onto the black web to be used as trial words for hackers. However, I have to wonder how many users who use truly complex-password actually reuse such passwords... it seems to go against the logic of it.

I really, really, really hate a certain bank of mine making me change my password every 90 days. I just change one character and I forget sometimes what it was then hassle them to reset it.

I admit I reuse passwords. My passwords are stupidly complex but mnemonic, I can type them easily by muscle memory on a full keyboard but I can't type or mnemonically remember them easily on a smartphone's keyboard for the same account. Some websites can be lax, storing usernames and passwords in plain text, that's a valid concern.

I have different passwords for different tiers of whatever type of account they're associated with. I don't use the same credentials for my bank account and a public forum potentially running outdated and vulnerable software.

But it's gotten so complex I've printed them out, but just passwords. No sites, no usernames. Not remembering a password is just forgetting special character in the wrong place.

Recent breaches have me changing my passwords on all levels. I had my Gmail linked to Quora for reasons I can't remember, my credit card and billing details were skimmed from an online retailer in plain text and they probably have the same e-mail (login) and PW I used skimmed as well in plain text. On sites that use your e-mail as the account name, I sure as hell don't use the same password to access the e-mail account itself.

Is that one of the sites that posts mortgage docs?

Reason I ask is it brings back memories when I refinanced

Bank sent me a login to download and electronically sign the docs from some third party site

Anything put in password the box let me in and the downloaded pdfs were secured with nothing more than rc4

What's in those refinance docs - everything

The usual PII + driver license photo, tax docs, paycheck stubs, bank statements with cancelled checks, utility bills, alimony, etc