Campaign: Security and Authentication

Turn off password expiration for MyUSPTO.gov

Get rid of the expiration on passwords on MyUSPTO -- a good password that isn't reused across multiple platforms can be permanent.

 

Is this solving a genuine and identifiable problem? No. Is there any conceivable way that a bad guy could get into uspto.gov and, for example, expropriate money from one of the credit cards? NO!!! The only payee is the uspto! Nobody's going to hack into a MyUSPTO account to when he/she can't take money out, and the only possibility is to give money to the PTO! Get real! Passwords have to be coordinated among all legal assistants -- the communication creates a bigger risk than any perceived risk that might be attenuated.

 

If banks don't use expiring passwords when there's a real risk of stealing real money, and the bank is the party at risk) how can it make sense for expiring passwords on MyUSPTO?

 

Because of this dumb idea, I now have my MyUSPTO password on a sticky stuck to my computer -- a big breach of security. It's the ONLY password I need to do this with, because USPTO is the only organization that is simultaneously uninformed about actual security practices, and customer-unfriendly, enough to have expiring passwords.

 

Researchers have generally called into question the merit of password expiration. See: https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf And http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf

 

These papers are cited on an FTC web page titled “Time to rethink mandatory password changes” by a person having the title “Chief Technologist”. See: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes.

 

David Boundy

Submitted by

Tags

Voting

13 votes
13 up votes
0 down votes
Active
Idea No. 173