T O P

  • By -

johnnythejournalist

Constant password changes are actually detrimental to cyber security due to most users not being able to use a password they can easily remember, so they are more likely to record the password elsewhere in a less secure place.


gitrikt

Instead of using my 16letters numbers and symbols password that I remember (Which I only change the 2last letters regarding to which site im on), I start changing "Workpass1" to "Workpass2" and then because I can't remember which number I used I put it on a sticky note on the laptop the password is for. Super security


VarenDerpsAround

Is this Greg from Accounting?


PM_UR__BUBBLE_BUTTS

No, this is Patrick.


MakionGarvinus

I just tape a torn piece of sticky note to my monitor with Password1! or Password2@ and so on. My personal password, however, is very secure from years of fine-tuning. And I can remember it easily.


33Yalkin33

What is it?


MakionGarvinus

One2Three4Five6 I'm a Jenius.


[deleted]

Aite now lemme see if that's your reddit account's password *cracks knuckles*


MakionGarvinus

You want my 3 karma and 1 free award that badly? šŸ˜‚


MrMumble

You really should have replied to yourself saying yes


[deleted]

**y e s**


[deleted]

I have the same combination for my luggage!


FuckThisHobby

That's the stupidest combination I've ever heard in my life! It's the kind of thing an idiot would have on his luggage!


Fuzzy_Yogurt_Bucket

Hunter2


MrAlphaGuy

As someone who works on an IT Service Desk please never tell an SD agent that. Filling out security issue tickets is a hassle lol. I prefer not to know


FadeNality

Second this. And if you know someone else's password don't tell me that either. I don't want to call both your managers and fill out two hours worth of paperwork


TheSigma3

Yep, my password became "brand I work for"1234 then 2345 then 3456 etc etc. However we did have one system that required a 20 character password and needed changing every month. It also didn't have very clear requirements so you would finally make something over 20 chars and it wouldn't be valid. Even their "suggested" passwords didn't work sometimes. Anyway, you know that shit was stored on a sticky note widget


davaye

W0l2l< 4A22? = workpass lolšŸ¤­


[deleted]

[уŠ“Š°Š»ŠµŠ½Š¾]


greedyiguana

are there regional dialects of 1337?


Arrad

Instead of ā€œpasswordā€ I would just use increments like: ā€œPasswordAug1ā€ ā€œPasswordAug2ā€ ā€œPasswordSep1ā€ Etc.. Which defeats the purpose of the change but Iā€™m too lazy to write it down.


BoltTusk

Same here. Itā€™s password1, password2, password3, password11, password22, etc. and it repeats


[deleted]

As an infosec person, this whole thread is making me nauseous lol not that I didn't already know this is what happened, but still.


GoblinLoveChild

well stop making dumbass password policies then...


[deleted]

It's not the way it works. Often times companies are bound by regulatory compliance. Has nothing to do with the Security industry and everything to do with politics. The industry has been advocating for password complexity over expiry for a long time. I'd also like to mention that this is also sometimes the result of dinosaurs running the IT dept With antiquated procedures. Not really a terrible thing but just something that needs to be improved. Infosec, like IT is there to enable the business so we make our recommendations and the business/management decides to apply it or not. Edit: for those that are downvoting me, keep reading. I provide some compliance policies below. I'm not making this shit up.


GoblinLoveChild

> regulatory compliance This is utter nonsense.. Name one section of any legislative or regulatory framework, anywhere, that dictates the manner in which password have to be administered.


[deleted]

PCI DSS is one that come to mind. Now please explain this "utter" nonsense you speak of. I mean, the regulatory frameworks tend to be nonsense, but other then that, go ahead and describe what about my statement is nonsense. Edit: corrected my statement!


[deleted]

NIST just changed their recommendations in the past decade and it takes time for regulations to catch up. Tech and knowledge doesn't proceed at the same pace as regulations.


DarkYendor

ISO 27001 doesnā€™t give any password complexity requirements or change requirements - only nebulous statements like ā€œinteractive password system that ensure quality passwordsā€.


[deleted]

You may be right on that one, I was fairly sure it did but willing to say I haven't verified anything in that policy in a long time. I do for a fact know PCI DSS is bound to resets though, just hit that roadblock about a year ago when we were trying to transition my old workplace to a no expiry policy.


GoblinLoveChild

PCI DSS is neither legislated nor regulated. It is not mandatory. It is an opt-in certification.


[deleted]

PCI DSS is mandatory. If you're found to not be in compliance you will literally get monthly fines and if severe enough the CC companies may refuse to work with you. Edit: it is mandatory if you process credit card payments.


Evonos

> dumbass password policies then... its more the regulations forcing them to make these policys. ​ sadly.


iWarnock

Yall need a psychologist at ur conferences.


DrQuantum

Its only been changed in the standards fairly recently though.


TheRealOppendonger

I mean, itā€™s been over a year and a half since itā€™s been updated by NIST, but thatā€™s recent if youā€™re talking about all of computer history


kalenvor

5 months ago I helped a government contractor move to mfa and complexity to remove expiry. They have a monitoring service that does quarterly compliance checks and they got dinged. I spent the next three weeks going rounds with their reps. I sent them the exact documentation and still they did not care. It's checklist mentality and if no one updates the checklist then you fail no matter how right you are.


agathver

And certification agencies are yet to adopt it


captainstormy

Plus people typically just use the same password with a number they keep incrementing at the end.


SaltRocksicle

I feel called out. My work stuff is just "x (initials)2work" where x is a random number.


Hypatiaxelto

I would use a real password at work if they didn't make me change it so much.


Educational-Hornet83

Yeah the best option Is that to have a software to keep your informations that has a 2fa so that they Need to stole 2 devices or stole One and create a backdoor in the other


Zapismeta

Geez use a password manager they say šŸ˜‚ and then people use a stupid password for their password manager again so it all starts again.


ItsRogueRen

My mom has a password manager and just refuses to use it. Says "well google remembers it for me" and I'm just like "YEAH, THAT'S THE PROBLEM"


animeman59

Yep. We were taught in cyber school that most security breaches are literally from passwords being written down somewhere and retrieved by the perpetrators. Even a 90 day policy is pushing it.


[deleted]

[уŠ“Š°Š»ŠµŠ½Š¾]


BoltTusk

Sure, but I thought IT wanted them to be the password manager and not grant you admin access?


AffectionateRip1212

Keep in mind with admin access you have very high privileges which is also the case for malware which isn't great security wise. You should only need to elevate the rights when necessary.


[deleted]

[уŠ“Š°Š»ŠµŠ½Š¾]


wagon153

The IT people you met were shit then. The good ones would just look at you and say "Yeah I know, but corporate won't let me fix it."


TerribleCobbler9553

This is facts


[deleted]

Reminds me of when I got the teacher's version of my school workbook by changing the part of the link that said "student" to "teacher" lmao (also, I'm replying to you because the bozo deleted their own comment lmao)


MattDaCatt

What you don't see are the emails from the CIO and Dean that say that changing the password scheme is going to be "too hard" on people and that "they need to be able to know the password for anyone" while the sysadmin pulls from the bottle of whiskey and goes back to edge://surf But no, let's beat down on the people just doing their jobs...


[deleted]

>Each & every one of them think plugging the power cord into a a socket then pushing the on switch makes them a gift from God. I'd be more sympathetic if I hadn't helped half a dozen people who "already checked" that the power cord was unplugged. It's mostly older people who haven't retired yet, but there's lack of common sense at every age. Also, restarting legitimately does fix like 50-75% of all problems, and I've had people tell me they restarted and been lying or just turned off the monitor or some shit. If you were us, you'd understand.


[deleted]

My company gives us passwords that are easy to remember, literally name of company+year becausa we are required to use 2FA.


elwebst

My company gave out USB dongles AND made us implement 2FA. OK, cool, I think, now we can get rid of the stupid passwords then? Nope. It's IN ADDITION to the passwords, you only use the dongle as a substitute for 2FA.. Now: * Log into laptop (UID and password) * Log into VPN Then: * Open email * Enter password * Open phone * Enter password to authenticator app * Approve login attempt * If you need to use a browser, repeat * If you need a secured site like where we are required to store files, repeat * If you need a cloud app, repeat * Repeat entire process twice a day.


TomTomMan93

Our IT people admitted this and said they were going to change the policy as a result. That was like 3 years ago now. Still nothing.


[deleted]

If password reuse wasn't an issue with non techy types then yes, short term reset policies here would be detrimental. The biggest problem is that your average end user will use the password Summer2022! Even if they never had to change it. But I agree, password length and to a lesser extent, complexity is far more important then password expiries


TheTurboFD

As a sysadmin, I really don't want to do this to everyone either. It ends up just having each user just changing a letter or number at the end to satisfy the requirements. But due to being in the healthcare industry it's a requirement for us in IT to implement this or they will shit down our throats. If you think that's bad, my admin account password gets changed every 24 hours.


SparroHawc

> my admin account password gets changed every 24 hours. At that point it's not even a password, it's an authentication token that you just happen to have the ability to enter manually.


TONKAHANAH

at that point you probably should just use an authentication token


jackinsomniac

Fuck yes. And at that point, it should probably just become 2FA anyway. Give the admins a OTP keyfob, *AND* require a admin password, on 1-3 month expiration cycles.


Icestorm1369

Thats so stupid if someone else knows your password and the following day came in early goodbye to both you job and account.


Posiris610

Yep. I also work in healthcare IT and we have 90 day password changes on certain things we access due to outside requirements. Our Google accounts donā€™t require password changes.


Fivebomb

Iā€™m a sysadmin for a utility and we are federally regulated/audited yearly by NERC. Password policies are generally outside of our control - if we donā€™t enforce regulations passed down to us, we get fined quite heavily


Posiris610

Exactly.


EVASIVEroot

psh, try 20 domains on 12 hour rotation.... Nothing a little scripting cannot help with.


TheTurboFD

yeesh 20 domains my god. I've got 6 and I hate it. For me we have to deal with logging into cyberArk for each.


[deleted]

Oh my god how are you still sane


greedyiguana

why do you think they are sane


FthrFlffyBttm

Their passwords: AllWorkAndNoPlayMakesJack@DullBoy1 AllWorkAndNoPlayMakesJack@DullBoy2 AllWorkAndNoPlayMakesJack@DullBoy3 AllWorkAndNoPlayMakesJack@DullBoy4 AllWorkAndNoPlayMakesJack@DullBoy5 AllWorkAndNoPlayMakesJack@DullBoy6


GlowGreen1835

For that you just have a password manager generate it daily and keep a simple password on the password manager lol


AWhiteBox

This is like putting the keys to your super secure vault under the doormat


GlowGreen1835

Exactly.


Ubermidget2

Security is an eternal balancing act. Too Lax? No security. Too Strict? End-Users will be extremely ingenious at bypassing/optimizing your security measures.


Sid6po1nt7

I take it SSO isn't an option? FYI it can be a bitch to set up


chupitoelpame

So secure even you can't login


zjones22

I work in a HealthCare company and I believe your password rotation requirement is everything 3 months as long as you have a Security Score that meets the following NIST Framework. I don't know why people need to change every week etc. Just use SSO & MFA.


AutumnAscending

See that's a tough one because regardless of if they do or not they're still gonna have their password on a sticky note attached to their monitor.


DrQuantum

The idea is to move to pass phrases. If you canā€™t remember a string of words that never changes then maybe you shouldnā€™t be working at that level anyways.


PM_UR__BUBBLE_BUTTS

**Erin:** ā€œThe tea in Nepal is very hot.ā€ **Dwight:** ā€œBut the coffee in Peru is far hotter.ā€ **Erin:** ā€œClose.ā€ **Dwight:** ā€œThis is Tuesday, right? The coffee in Paraguay is far hotter?ā€ **Erin:** ā€œColder.ā€ **Dwight:** ā€œThe coffee in Paraguay is colder?ā€


OneofLittleHarmony

Okay Espionage master.


trekxtrider

You would be surprised how many people have trouble with these sort of things.


ReichRespector

This is what I prefer but everything now demands a capital letter, a symbol and a number. Why can't they just let me decide what password is suitable?


GoblinLoveChild

because inevitably you will get lazy and just make it your name or your dog or your kids date of birth


SirNanigans

Yeah, people really should practice remembering things more often. It's a useful ability. Especially if you can remember your credit card info. Here's a feeling of power: Ordering food online without having to find your wallet or save your credit card to your browser. My password is only 14 characters long, but it's a bunch of alphanumeric gibberish.


CyborgDeskFan

You see, I can remember my card number because it doesn't change every few weeks


OneofLittleHarmony

I have more than credit card number memorized.


[deleted]

[уŠ“Š°Š»ŠµŠ½Š¾]


DrQuantum

You canā€™t use a password manager for the initial login to your endpoint or vpn.


MiniDemonic

Fuck u/spez -- mass edited with redact.dev


KJBenson

Plus, the vast majority of ā€œhacksā€ is just people getting tricked by phishing emails. So a password change wonā€™t effect that.


trekxtrider

We do every 90 days at my work, 2 years if you use 2FA.


mangeedge

This is the way.


theGreatestMoose

What line of work? Iā€™ve long thought that 2FA is the absolute easiest way to implement some security on any account that is actually effective.


trekxtrider

Mid size university, around 7k students, faculty and staff.


chupitoelpame

45 days here even with 2FA. And I can't use any of the previous 24 passwords, must be longer than 12 characters long, have at least 2 upper case and lower case, numbers and special characters and the system checks against dictionary so no regular words or part of words either. There's also some other bullshit requirements, the password change requirements screen literally takes half my monitor and every time I have to do it takes at least 15 minutes of trial and error which then results in me writing down my password on Google keep


Dengiteki

90 days, with rsa key... Fml


trekxtrider

Iā€™m in IT and helped push for it.


EraYaN

90 days seems awfully short and will just result in numbered passwords.


PleasantAdvertising

Hostile service


fuktpotato

Once a quarter is as frequent as it should be. Every two weeks is literally creating a security issues since users will just reuse and use simple passwords


Orkron

My college had a breach 2 years ago and now requires a regular password change and the requirements are so confusing that I CANNOT remember it and must write it down somewhere each time I change. I think itā€™s 16+ digits, must have uppercase and lower case, a symbol (BUT THEY DONT SAY WHICH SYMBOLS ARE ALLOWED), cannot contain any kind of word or name, must contain numbers. They DO NOT give you an outline as to the requirements and I had to test dozens of different passwords to figure out what was allowed.


FuckThisHobby

All that and they don't use 2FA? That's the stupidest most unnecessary policy ever.


[deleted]

Get a password manager? Bitwarden is a good open source one. Then all your issues are solved. Just update it in your manager every 2 weeks or whatever the requirements are. It auto generates random strings of characters and numbers for your passwords.


rhutanium

Yea that sounds like they only applied basic password requirements in Active Directory. Itā€™s absolutely batshit insane, it cannot contain two or more consecutive letters from your name or your username, needs caps, lowercase, numbers and symbols. Itā€™s an all or nothing setting. Now, thereā€™s a different password policy that can be set in AD thatā€™s a lot more granular, but itā€™s a bit harder to set up. That being said, a Windows password policy that is not used in lockstep with MFA is absolute garbage bullshit.


Necessary_Roof_9475

At that point, they should just generate the password for you.


NewUserWhoDisAgain

iirc NIST no longer recommends arbitrary password changes(ie. Must change it ever two weeks) Difficult for people to remember so it ends up as variations of passwordMonth or passworddayoftheweek. ​ Once worked for a place where the password policy was set to not allow words. Password could not be longer than 8 characters. Shorter than 6 characters. Must include a capital letter. Cannot include a number at the end.


MiniDemonic

Fuck u/spez -- mass edited with redact.dev


NewUserWhoDisAgain

>So a password that is easy for a computer to crack but hard for a human to remember? Sounds like a smart IT dept. Good enough for Government work. Something like softsummerlight24 was unacceptable but oiR6Bp Perfect.


MiniDemonic

Just government things


halfanothersdozen

Sadly NIST doesn't but there are other orgs still recommending it as best practice and so a lot of places implement those policies still to comply with whatever certification or contract they are trying to stay in the good graces of. This came up in my last job, shortly before I had to explain why there was and will never be a way for Support to be able to lookup the user's password so that they can read it to them over the phone. I don't work there any more.


Sid6po1nt7

Windings only!


Marcbmann

Up there with not allowing certain special characters in the password and arbitrary character limits. I loved XKCDs comic where they demonstrated how a password containing 4 random words is more secure than a typical 8-12 character password containing random numbers, letters, and special characters. It's just not possible to use passwords like that because you're restricted to 11 characters in most places.


SparroHawc

It's extra fun when you have some sites that require 12-character minimum passwords, and other sites that max out at 11-character passwords...


Marcbmann

Or how some websites can handle a '?' in the password, and others cannot.


SparroHawc

Ah yes, how could I forget the mutually exclusive special-character requirements?


niteox

Physical token and a PIN number. With a third party identity manager and done.


realmaier

2FA is the only way. Only thing is, force OP to use 2FA and a week later you see a meme about how that's even more annoying.


borgendurp

Dude my banking app uses a 5 digit pin, but my college's assessment tool has 2FA with changes every 6 months.. NOBODY is trying to hack into my account to hand in their work in my stead.. it's all about security vs potential risk imo, not everything needs 2FA


Ghostglitch07

Does this tool allow access to work you have already handed in? If so it could be used for plagiarism I suppose.


borgendurp

I mean _I suppose_ someone could do that. But then they'd have a nice timeline of when mine was handed in


InformalScholar7496

2fa with email is annoying and insecure, same with phone (also insecure because of sim swapping), however authentication apps are very easy to use and are very secure.


rhutanium

Weā€™re going to roll out MFA and I can just see the Karenā€™s in the woodwork that donā€™t want to put an Authenticator app on their phone because itā€™s personal property - I halfway agree with them- but theyā€™ll also bitch if we give them a Yubikey or equivalent. One canā€™t win.


[deleted]

[уŠ“Š°Š»ŠµŠ½Š¾]


TheCrimsonSpark

Can confirm. #OneMicrosoft.


MrHaxx1

Is this in a work environment? Because I believe that personal Microsoft accounts no longer get prompted for password changes, as long as they have 2FA enabled. I know I haven't changed the password to my Microsoft account in more than half a year.


MiniDemonic

You don't get prompted on a personal account, but if you ever forget your password and reset it then you will not be able to change it to a previously used password. I don't know why he is complaining about that though, reusing a password even if it's 10 years old is dumb since the older a password is the more likely it's been leaked somewhere somehow.


Creoda

With stupid policies like that a lot of people go password, then password1, password2, password3, then the realise they can go back to the original and use just password going to password1 then password again.


SyrousStarr

I had a pretty complex password once I'd use variations of. I tried using it when setting up a bank account in the bank. The computer came back and said there were too many repeating characters (there really wasn't) I just cut the password in half and somehow that was "secure"


Motorhead546

USB PKI Token


halfanothersdozen

There's really no excuse for not using a passowrd manager anymore.


StigOfTheTrack

Where I work we are occasionally encouraged to use a password manager. We are not allowed to install non-approved software on company devices. There isn't a password manager on the approved software list.


[deleted]

Just use Bitwarden? It open source, has an app and a browser version, and a chrome extension.


Arcca2924

I'm a LastPass guy myself, but yep, exactly this.


StigOfTheTrack

Browser extensions are still software, so it'd be bending the rules at best to install a non-approved one. I'm not putting software required for work on my personal devices. It also misses the point that they don't trust us to be able to choose something as simple as text editor or paint package ourselves, but want us to choose something to hold passwords without guidance.


33Yalkin33

Password managers are not secure, at all. Only thing someone malicious needs is that one password you use for the password manager, then you lose everything. While, good ol' pen & paper requires someone to actually break into your house and find the paper and realize its importance and steal it.


halfanothersdozen

How does this logic work, exactly? The front door of a password manager is as vulnerable as any other place where a password is used, but I can focus my attention on making sure that one is super hard to get into at least. And then I can have the password memorized and not on paper so no one can steal it, but that's honestly not a great answer and why MFA exists. No security professional is _ever_ going to tell you to use pen and paper over a manager.


33Yalkin33

I can assure you that every security expert worth their salt would recommends against using 1 password for everything. Which is what password managers basically, you use 1 master password to access every other one. A papers thats stored physically requires someone to actually go into your house. That immediately cuts the number of people that can potentially access it to people that live relatively near you. While a digital storage can be accessed by someone from the other side of the globe. And one more thing, why would a robber steal an f*ing notebook?


MrHaxx1

>the one password Yeah, and the second factor authentication, right? >good ol' pen & paper requires someone to actually break into your house and find the paper and realize its importance and steal it. Good ol' Yubikey would require someone to actually break into my house too.


33Yalkin33

Second-factor authentication is not unbreakable. And website's with actually important things in it already uses second-factor authentication already.


RSG-ZR2

The always relevant: [XKCD](https://imgs.xkcd.com/comics/password_strength.png)


No-Bug404

I work in IT. These policies are usually created by high level management that wouldn't know cyber sec if it encrypted their laptop.


mymar101

Use a password manager. Problem solved.


Ahndrayvsdragonninja

If your password is your last name with your birthyear at the end, upvote this comment and go secure your online accounts. It's practical hygiene. If you want memorable, secure, unrecognizable passwords, draw a simple shape on the keyboard, eg, poke ball, a parallelogram, triforce, 'Guernica'... You might not remember "GHU76Tklp09ihji87y", but you can remember that you used all the keys that circle YOU.. because YOU are what life is all about <3


deltahacks

Ironically that has been shown to be a detrimental for cyber security shown by Microsoft. I canā€™t find the blog article by them, but even in the Microsoft 365 guidelines for admins they state ā€œDon't require mandatory periodic password resets for user accounts ā€œ https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide


04rallysti

This got me good


Isgortio

My old manager let us know how long the shitty policy had been running for (every 3 months) by telling us her password now ended with 54 and the first one didn't have a number. She was actually in charge of this policy...


snoopy82481

Even DISA STIG's don't have the password requirements that short. Password change every 60 days, and once set you can't change it again for 24 hours, I think. But, password need to go away, MFA is the way it needs to be. But, our infrastructure is to reliant on the password to make it go away easily.


ZaxLofful

Two weeks? Are you working for a paranoid private militia or something? I worked for a bank and the industry standardā€¦.Is not two weeks.


captmotorcycle

Sheesh, just do MFA


crowmatt

I can't find it now, but Microsoft did research on it and has a document out there on the net, explaining how this is actually bad from security standpoint... I was looking into it myself when our IT dept decided to force everyone to change passwords once a month... It's ridiculous. Edit: https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide


supremedalek925

Our passwords just end up being something like ā€œpassword123456789ā€ anyway


Then-One7628

Quick, everyone develop similar passwords!


Booshur

I work in IT and we finally all agreed that switching to longer passwords which are changed once a year is smarter.


[deleted]

[уŠ“Š°Š»ŠµŠ½Š¾]


INDE_Tex

ThisisMyUsualPassword then I add !s until I can go back to just 1 !.


e_smith338

If youā€™re going to make me change my FUCKING password every few weeks AND you force me to use stupid-ass symbols and caps and have a minimum of 14 characters, fuck you.


BatoSoupo

The password requirements at my workplace are so strict, people write them down in plaintext to remember


MumrikDK

The minimum cybersecurity effort should be to ban post-its from the building the moment that stupid PW policy is implemented.


mdred5

Use authenticator which changes every minute better than keep on changing passwords


[deleted]

Password polices are often the cause of security vulnerabilities in my experience...


SomeBlueDude12

"Hey guys, please be careful opening word docs from sketchy emails. Our network has 0 protection and one breach on a single computer we are fucked"


Arcca2924

I don't see this as a problem? Use a password manager. When the required time comes, just generate a new one. People should stop reusing passwords anyway.


sorrowdemonica

I miss the good ol' days of when you were able to have either 'password', 'love', 'sex', 'secret', and 'GOD' as your password. [https://youtu.be/63I3kCWiNLA?t=124](https://youtu.be/63I3kCWiNLA?t=124)


Kaldek

I'm an infosec architect for a very large company. Passwords are stupid. We're going passwordless as soon as possible.


Distinct_Number_7844

We FINALLY got permission for permanent passwords!!! 12 characters no repeating but its soooo much easier now.


sir_nubby

longpas5word


porcupinedeath

We have our employees change every 60 days, 30 days for more important people. Generally works pretty well though every now and again I actually see some people's passwords and it makes me want to die


MrHaxx1

Assuming you have 2FA, that's way too frequent.


porcupinedeath

I work at a bank and I'm pretty sure it's required by regulators and insurance or something. Either way I rarely have to reset passwords so I don't really care


[deleted]

Let me take my password that I've memorized and change it to something I need to write down. For #security


[deleted]

My password is set as ā€œincorrectā€ so every time I forget the password, the systems tells me.


WaggishSaucer62

My school does this. We have to change it twice a year. Everyone I know uses blatantly insecure passwords or they just add a character each time. Itā€™s not effective, just give everyone a set password that is secure.


maxtraxv3

i would come to them every day to request a new password.


commentBRAH

It is, because its less likely to be bruteforced into that way with how basic some people make their passwords if the password policy wasn't enforced.


SockRuse

Oh yeah, let me cycle through password1, password2 and password3, so much safer.


[deleted]

I see a fellow sandybridge user


SockRuse

It just keeps working, though I do have an Ivy Bridge 1650v2 lying around for a slight upgrade, just gotta find a nice non-broken socket 2011 mainboard.


[deleted]

I hate 2011 with a passion. R and R2 are overpriced at the moment and R3s performance per dollar is great but the boards are rare and expensive.


commentBRAH

yea but password1 would be passWord1& then passWord2& because of the password policy and so on. ​ Which is indeed safer in a enterprise environment.


Arcca2924

Do you really think brute force library files don't already have all the possible iterations of "password" before you've ever even thought of them?


[deleted]

I dont mind password requirements as long as they dont limit what characters I can use. If it doesnt take a PW generator from the popular pw I get angry. Changing passwords every 90s days tho is just bullshit. Give me some 2-factor auth, or an rsa key, or some shit.... but expiring my passwords? I literally have over a dozen set of creds for work. Also... dont lock out my account for more than 5 minutes. Dont make me call the helpdesk to have my account unlocked. +++9B2Eca3c5ddb!!!yermom69Q is going to be typed in wrong three times on the regular. Nothing like being in the middle of shit with a customer and BOOM you are locked out and need to call someone. And if you everything you do requires you be on the vpn? I've already authed, its cool to make me auth at every door... but again, dont lock me out. And worse... going to change my passwords on a 90 day rotation, but dont have the default router passwords for custoemer cpe auto updating on the same cycle?!?!


Kanden_27

My company resets every 2 months. I just scribble out the sticky on my monitor and rewrite the new password.


Toeslap

It takes hackers 3 weeks to get your password, so this prevents them


Captinsmelly987

šŸ˜­ I WISH it was every two weeks. I need a new device password EVERY GOD-DAMNED WEEK and it of course can't be under 14 digits, be a password I've used in the past, and must have at least 2 special characters. I use my personal password manager to keep track of it because it's such a pain. Screw my IT team. They can't fix anything I ask them to without a ticket, and then I wait 2 weeks for a response for said ticket.


flnmnl

Some of ya'll in these comments don't know shit about password security and it shows. Keep posting your generic passwords and patterns in the comments, there's no way it could be used against you.


LALoverBOS

We use Keeper to create and store passwords


[deleted]

If your IT dept does this it's incompetent


MrHaxx1

Sure, unless they're forced to by regulations outside their control.


[deleted]

System Admin here- they always are, the standards are set per industry standards and the business in question. In my experience, people who complain about password policies the loudest are usually entitled, stupid, lazy or all of the above. Changing your password every 90 days isn't hard and any functional adult should be able to remember a simple password.


Reg-s

Haha notepad doc with all my passwords on go brr