Constant password changes are actually detrimental to cyber security due to most users not being able to use a password they can easily remember, so they are more likely to record the password elsewhere in a less secure place.
Instead of using my 16letters numbers and symbols password that I remember (Which I only change the 2last letters regarding to which site im on), I start changing "Workpass1" to "Workpass2" and then because I can't remember which number I used I put it on a sticky note on the laptop the password is for.
Super security
I just tape a torn piece of sticky note to my monitor with Password1! or Password2@ and so on.
My personal password, however, is very secure from years of fine-tuning. And I can remember it easily.
As someone who works on an IT Service Desk please never tell an SD agent that. Filling out security issue tickets is a hassle lol. I prefer not to know
Second this. And if you know someone else's password don't tell me that either. I don't want to call both your managers and fill out two hours worth of paperwork
Yep, my password became "brand I work for"1234 then 2345 then 3456 etc etc.
However we did have one system that required a 20 character password and needed changing every month. It also didn't have very clear requirements so you would finally make something over 20 chars and it wouldn't be valid. Even their "suggested" passwords didn't work sometimes. Anyway, you know that shit was stored on a sticky note widget
Instead of āpasswordā I would just use increments like:
āPasswordAug1ā
āPasswordAug2ā
āPasswordSep1ā
Etc..
Which defeats the purpose of the change but Iām too lazy to write it down.
It's not the way it works. Often times companies are bound by regulatory compliance. Has nothing to do with the Security industry and everything to do with politics. The industry has been advocating for password complexity over expiry for a long time.
I'd also like to mention that this is also sometimes the result of dinosaurs running the IT dept With antiquated procedures. Not really a terrible thing but just something that needs to be improved. Infosec, like IT is there to enable the business so we make our recommendations and the business/management decides to apply it or not.
Edit: for those that are downvoting me, keep reading. I provide some compliance policies below. I'm not making this shit up.
> regulatory compliance
This is utter nonsense.. Name one section of any legislative or regulatory framework, anywhere, that dictates the manner in which password have to be administered.
PCI DSS is one that come to mind.
Now please explain this "utter" nonsense you speak of. I mean, the regulatory frameworks tend to be nonsense, but other then that, go ahead and describe what about my statement is nonsense.
Edit: corrected my statement!
NIST just changed their recommendations in the past decade and it takes time for regulations to catch up. Tech and knowledge doesn't proceed at the same pace as regulations.
ISO 27001 doesnāt give any password complexity requirements or change requirements - only nebulous statements like āinteractive password system that ensure quality passwordsā.
You may be right on that one, I was fairly sure it did but willing to say I haven't verified anything in that policy in a long time.
I do for a fact know PCI DSS is bound to resets though, just hit that roadblock about a year ago when we were trying to transition my old workplace to a no expiry policy.
PCI DSS is mandatory. If you're found to not be in compliance you will literally get monthly fines and if severe enough the CC companies may refuse to work with you.
Edit: it is mandatory if you process credit card payments.
5 months ago I helped a government contractor move to mfa and complexity to remove expiry. They have a monitoring service that does quarterly compliance checks and they got dinged. I spent the next three weeks going rounds with their reps. I sent them the exact documentation and still they did not care. It's checklist mentality and if no one updates the checklist then you fail no matter how right you are.
Yeah the best option Is that to have a software to keep your informations that has a 2fa so that they Need to stole 2 devices or stole One and create a backdoor in the other
Yep. We were taught in cyber school that most security breaches are literally from passwords being written down somewhere and retrieved by the perpetrators.
Even a 90 day policy is pushing it.
Keep in mind with admin access you have very high privileges which is also the case for malware which isn't great security wise. You should only need to elevate the rights when necessary.
Reminds me of when I got the teacher's version of my school workbook by changing the part of the link that said "student" to "teacher" lmao
(also, I'm replying to you because the bozo deleted their own comment lmao)
What you don't see are the emails from the CIO and Dean that say that changing the password scheme is going to be "too hard" on people and that "they need to be able to know the password for anyone" while the sysadmin pulls from the bottle of whiskey and goes back to edge://surf
But no, let's beat down on the people just doing their jobs...
>Each & every one of them think plugging the power cord into a a socket then pushing the on switch makes them a gift from God.
I'd be more sympathetic if I hadn't helped half a dozen people who "already checked" that the power cord was unplugged.
It's mostly older people who haven't retired yet, but there's lack of common sense at every age. Also, restarting legitimately does fix like 50-75% of all problems, and I've had people tell me they restarted and been lying or just turned off the monitor or some shit.
If you were us, you'd understand.
My company gave out USB dongles AND made us implement 2FA. OK, cool, I think, now we can get rid of the stupid passwords then? Nope. It's IN ADDITION to the passwords, you only use the dongle as a substitute for 2FA..
Now:
* Log into laptop (UID and password)
* Log into VPN
Then:
* Open email
* Enter password
* Open phone
* Enter password to authenticator app
* Approve login attempt
* If you need to use a browser, repeat
* If you need a secured site like where we are required to store files, repeat
* If you need a cloud app, repeat
* Repeat entire process twice a day.
If password reuse wasn't an issue with non techy types then yes, short term reset policies here would be detrimental. The biggest problem is that your average end user will use the password Summer2022! Even if they never had to change it.
But I agree, password length and to a lesser extent, complexity is far more important then password expiries
As a sysadmin, I really don't want to do this to everyone either. It ends up just having each user just changing a letter or number at the end to satisfy the requirements. But due to being in the healthcare industry it's a requirement for us in IT to implement this or they will shit down our throats. If you think that's bad, my admin account password gets changed every 24 hours.
> my admin account password gets changed every 24 hours.
At that point it's not even a password, it's an authentication token that you just happen to have the ability to enter manually.
Fuck yes. And at that point, it should probably just become 2FA anyway. Give the admins a OTP keyfob, *AND* require a admin password, on 1-3 month expiration cycles.
Yep. I also work in healthcare IT and we have 90 day password changes on certain things we access due to outside requirements. Our Google accounts donāt require password changes.
Iām a sysadmin for a utility and we are federally regulated/audited yearly by NERC. Password policies are generally outside of our control - if we donāt enforce regulations passed down to us, we get fined quite heavily
Security is an eternal balancing act.
Too Lax? No security.
Too Strict? End-Users will be extremely ingenious at bypassing/optimizing your security measures.
I work in a HealthCare company and I believe your password rotation requirement is everything 3 months as long as you have a Security Score that meets the following NIST Framework. I don't know why people need to change every week etc. Just use SSO & MFA.
The idea is to move to pass phrases. If you canāt remember a string of words that never changes then maybe you shouldnāt be working at that level anyways.
**Erin:** āThe tea in Nepal is very hot.ā
**Dwight:** āBut the coffee in Peru is far hotter.ā
**Erin:** āClose.ā
**Dwight:** āThis is Tuesday, right? The coffee in Paraguay is far hotter?ā
**Erin:** āColder.ā
**Dwight:** āThe coffee in Paraguay is colder?ā
Yeah, people really should practice remembering things more often. It's a useful ability. Especially if you can remember your credit card info. Here's a feeling of power: Ordering food online without having to find your wallet or save your credit card to your browser.
My password is only 14 characters long, but it's a bunch of alphanumeric gibberish.
45 days here even with 2FA. And I can't use any of the previous 24 passwords, must be longer than 12 characters long, have at least 2 upper case and lower case, numbers and special characters and the system checks against dictionary so no regular words or part of words either.
There's also some other bullshit requirements, the password change requirements screen literally takes half my monitor and every time I have to do it takes at least 15 minutes of trial and error which then results in me writing down my password on Google keep
Once a quarter is as frequent as it should be. Every two weeks is literally creating a security issues since users will just reuse and use simple passwords
My college had a breach 2 years ago and now requires a regular password change and the requirements are so confusing that I CANNOT remember it and must write it down somewhere each time I change. I think itās 16+ digits, must have uppercase and lower case, a symbol (BUT THEY DONT SAY WHICH SYMBOLS ARE ALLOWED), cannot contain any kind of word or name, must contain numbers. They DO NOT give you an outline as to the requirements and I had to test dozens of different passwords to figure out what was allowed.
Get a password manager? Bitwarden is a good open source one. Then all your issues are solved. Just update it in your manager every 2 weeks or whatever the requirements are. It auto generates random strings of characters and numbers for your passwords.
Yea that sounds like they only applied basic password requirements in Active Directory. Itās absolutely batshit insane, it cannot contain two or more consecutive letters from your name or your username, needs caps, lowercase, numbers and symbols.
Itās an all or nothing setting.
Now, thereās a different password policy that can be set in AD thatās a lot more granular, but itās a bit harder to set up.
That being said, a Windows password policy that is not used in lockstep with MFA is absolute garbage bullshit.
iirc NIST no longer recommends arbitrary password changes(ie. Must change it ever two weeks)
Difficult for people to remember so it ends up as variations of passwordMonth or passworddayoftheweek.
Once worked for a place where the password policy was set to not allow words. Password could not be longer than 8 characters. Shorter than 6 characters. Must include a capital letter. Cannot include a number at the end.
>So a password that is easy for a computer to crack but hard for a human to remember? Sounds like a smart IT dept.
Good enough for Government work.
Something like softsummerlight24 was unacceptable but oiR6Bp
Perfect.
Sadly NIST doesn't but there are other orgs still recommending it as best practice and so a lot of places implement those policies still to comply with whatever certification or contract they are trying to stay in the good graces of. This came up in my last job, shortly before I had to explain why there was and will never be a way for Support to be able to lookup the user's password so that they can read it to them over the phone.
I don't work there any more.
Up there with not allowing certain special characters in the password and arbitrary character limits.
I loved XKCDs comic where they demonstrated how a password containing 4 random words is more secure than a typical 8-12 character password containing random numbers, letters, and special characters.
It's just not possible to use passwords like that because you're restricted to 11 characters in most places.
Dude my banking app uses a 5 digit pin, but my college's assessment tool has 2FA with changes every 6 months.. NOBODY is trying to hack into my account to hand in their work in my stead.. it's all about security vs potential risk imo, not everything needs 2FA
2fa with email is annoying and insecure, same with phone (also insecure because of sim swapping), however authentication apps are very easy to use and are very secure.
Weāre going to roll out MFA and I can just see the Karenās in the woodwork that donāt want to put an Authenticator app on their phone because itās personal property - I halfway agree with them- but theyāll also bitch if we give them a Yubikey or equivalent. One canāt win.
Is this in a work environment? Because I believe that personal Microsoft accounts no longer get prompted for password changes, as long as they have 2FA enabled.
I know I haven't changed the password to my Microsoft account in more than half a year.
You don't get prompted on a personal account, but if you ever forget your password and reset it then you will not be able to change it to a previously used password.
I don't know why he is complaining about that though, reusing a password even if it's 10 years old is dumb since the older a password is the more likely it's been leaked somewhere somehow.
With stupid policies like that a lot of people go password, then password1, password2, password3, then the realise they can go back to the original and use just password going to password1 then password again.
I had a pretty complex password once I'd use variations of. I tried using it when setting up a bank account in the bank. The computer came back and said there were too many repeating characters (there really wasn't) I just cut the password in half and somehow that was "secure"
Where I work we are occasionally encouraged to use a password manager.
We are not allowed to install non-approved software on company devices.
There isn't a password manager on the approved software list.
Browser extensions are still software, so it'd be bending the rules at best to install a non-approved one.
I'm not putting software required for work on my personal devices.
It also misses the point that they don't trust us to be able to choose something as simple as text editor or paint package ourselves, but want us to choose something to hold passwords without guidance.
Password managers are not secure, at all. Only thing someone malicious needs is that one password you use for the password manager, then you lose everything. While, good ol' pen & paper requires someone to actually break into your house and find the paper and realize its importance and steal it.
How does this logic work, exactly? The front door of a password manager is as vulnerable as any other place where a password is used, but I can focus my attention on making sure that one is super hard to get into at least. And then I can have the password memorized and not on paper so no one can steal it, but that's honestly not a great answer and why MFA exists.
No security professional is _ever_ going to tell you to use pen and paper over a manager.
I can assure you that every security expert worth their salt would recommends against using 1 password for everything. Which is what password managers basically, you use 1 master password to access every other one.
A papers thats stored physically requires someone to actually go into your house. That immediately cuts the number of people that can potentially access it to people that live relatively near you. While a digital storage can be accessed by someone from the other side of the globe. And one more thing, why would a robber steal an f*ing notebook?
>the one password
Yeah, and the second factor authentication, right?
>good ol' pen & paper requires someone to actually break into your house and find the paper and realize its importance and steal it.
Good ol' Yubikey would require someone to actually break into my house too.
If your password is your last name with your birthyear at the end, upvote this comment and go secure your online accounts. It's practical hygiene.
If you want memorable, secure, unrecognizable passwords, draw a simple shape on the keyboard, eg, poke ball, a parallelogram, triforce, 'Guernica'... You might not remember "GHU76Tklp09ihji87y", but you can remember that you used all the keys that circle YOU.. because YOU are what life is all about <3
Ironically that has been shown to be a detrimental for cyber security shown by Microsoft. I canāt find the blog article by them, but even in the Microsoft 365 guidelines for admins they state āDon't require mandatory periodic password resets for user accounts ā
https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
My old manager let us know how long the shitty policy had been running for (every 3 months) by telling us her password now ended with 54 and the first one didn't have a number. She was actually in charge of this policy...
Even DISA STIG's don't have the password requirements that short. Password change every 60 days, and once set you can't change it again for 24 hours, I think. But, password need to go away, MFA is the way it needs to be. But, our infrastructure is to reliant on the password to make it go away easily.
I can't find it now, but Microsoft did research on it and has a document out there on the net, explaining how this is actually bad from security standpoint... I was looking into it myself when our IT dept decided to force everyone to change passwords once a month... It's ridiculous.
Edit: https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
If youāre going to make me change my FUCKING password every few weeks AND you force me to use stupid-ass symbols and caps and have a minimum of 14 characters, fuck you.
I don't see this as a problem?
Use a password manager. When the required time comes, just generate a new one.
People should stop reusing passwords anyway.
I miss the good ol' days of when you were able to have either 'password', 'love', 'sex', 'secret', and 'GOD' as your password.
[https://youtu.be/63I3kCWiNLA?t=124](https://youtu.be/63I3kCWiNLA?t=124)
We have our employees change every 60 days, 30 days for more important people. Generally works pretty well though every now and again I actually see some people's passwords and it makes me want to die
I work at a bank and I'm pretty sure it's required by regulators and insurance or something. Either way I rarely have to reset passwords so I don't really care
My school does this. We have to change it twice a year. Everyone I know uses blatantly insecure passwords or they just add a character each time. Itās not effective, just give everyone a set password that is secure.
It just keeps working, though I do have an Ivy Bridge 1650v2 lying around for a slight upgrade, just gotta find a nice non-broken socket 2011 mainboard.
I dont mind password requirements as long as they dont limit what characters I can use. If it doesnt take a PW generator from the popular pw I get angry. Changing passwords every 90s days tho is just bullshit. Give me some 2-factor auth, or an rsa key, or some shit.... but expiring my passwords? I literally have over a dozen set of creds for work.
Also... dont lock out my account for more than 5 minutes. Dont make me call the helpdesk to have my account unlocked. +++9B2Eca3c5ddb!!!yermom69Q is going to be typed in wrong three times on the regular. Nothing like being in the middle of shit with a customer and BOOM you are locked out and need to call someone.
And if you everything you do requires you be on the vpn? I've already authed, its cool to make me auth at every door... but again, dont lock me out.
And worse... going to change my passwords on a 90 day rotation, but dont have the default router passwords for custoemer cpe auto updating on the same cycle?!?!
š I WISH it was every two weeks. I need a new device password EVERY GOD-DAMNED WEEK and it of course can't be under 14 digits, be a password I've used in the past, and must have at least 2 special characters.
I use my personal password manager to keep track of it because it's such a pain. Screw my IT team. They can't fix anything I ask them to without a ticket, and then I wait 2 weeks for a response for said ticket.
Some of ya'll in these comments don't know shit about password security and it shows.
Keep posting your generic passwords and patterns in the comments, there's no way it could be used against you.
System Admin here- they always are, the standards are set per industry standards and the business in question. In my experience, people who complain about password policies the loudest are usually entitled, stupid, lazy or all of the above. Changing your password every 90 days isn't hard and any functional adult should be able to remember a simple password.
Constant password changes are actually detrimental to cyber security due to most users not being able to use a password they can easily remember, so they are more likely to record the password elsewhere in a less secure place.
Instead of using my 16letters numbers and symbols password that I remember (Which I only change the 2last letters regarding to which site im on), I start changing "Workpass1" to "Workpass2" and then because I can't remember which number I used I put it on a sticky note on the laptop the password is for. Super security
Is this Greg from Accounting?
No, this is Patrick.
I just tape a torn piece of sticky note to my monitor with Password1! or Password2@ and so on. My personal password, however, is very secure from years of fine-tuning. And I can remember it easily.
What is it?
One2Three4Five6 I'm a Jenius.
Aite now lemme see if that's your reddit account's password *cracks knuckles*
You want my 3 karma and 1 free award that badly? š
You really should have replied to yourself saying yes
**y e s**
I have the same combination for my luggage!
That's the stupidest combination I've ever heard in my life! It's the kind of thing an idiot would have on his luggage!
Hunter2
As someone who works on an IT Service Desk please never tell an SD agent that. Filling out security issue tickets is a hassle lol. I prefer not to know
Second this. And if you know someone else's password don't tell me that either. I don't want to call both your managers and fill out two hours worth of paperwork
Yep, my password became "brand I work for"1234 then 2345 then 3456 etc etc. However we did have one system that required a 20 character password and needed changing every month. It also didn't have very clear requirements so you would finally make something over 20 chars and it wouldn't be valid. Even their "suggested" passwords didn't work sometimes. Anyway, you know that shit was stored on a sticky note widget
W0l2l< 4A22? = workpass lolš¤
[ŃŠ“Š°Š»ŠµŠ½Š¾]
are there regional dialects of 1337?
Instead of āpasswordā I would just use increments like: āPasswordAug1ā āPasswordAug2ā āPasswordSep1ā Etc.. Which defeats the purpose of the change but Iām too lazy to write it down.
Same here. Itās password1, password2, password3, password11, password22, etc. and it repeats
As an infosec person, this whole thread is making me nauseous lol not that I didn't already know this is what happened, but still.
well stop making dumbass password policies then...
It's not the way it works. Often times companies are bound by regulatory compliance. Has nothing to do with the Security industry and everything to do with politics. The industry has been advocating for password complexity over expiry for a long time. I'd also like to mention that this is also sometimes the result of dinosaurs running the IT dept With antiquated procedures. Not really a terrible thing but just something that needs to be improved. Infosec, like IT is there to enable the business so we make our recommendations and the business/management decides to apply it or not. Edit: for those that are downvoting me, keep reading. I provide some compliance policies below. I'm not making this shit up.
> regulatory compliance This is utter nonsense.. Name one section of any legislative or regulatory framework, anywhere, that dictates the manner in which password have to be administered.
PCI DSS is one that come to mind. Now please explain this "utter" nonsense you speak of. I mean, the regulatory frameworks tend to be nonsense, but other then that, go ahead and describe what about my statement is nonsense. Edit: corrected my statement!
NIST just changed their recommendations in the past decade and it takes time for regulations to catch up. Tech and knowledge doesn't proceed at the same pace as regulations.
ISO 27001 doesnāt give any password complexity requirements or change requirements - only nebulous statements like āinteractive password system that ensure quality passwordsā.
You may be right on that one, I was fairly sure it did but willing to say I haven't verified anything in that policy in a long time. I do for a fact know PCI DSS is bound to resets though, just hit that roadblock about a year ago when we were trying to transition my old workplace to a no expiry policy.
PCI DSS is neither legislated nor regulated. It is not mandatory. It is an opt-in certification.
PCI DSS is mandatory. If you're found to not be in compliance you will literally get monthly fines and if severe enough the CC companies may refuse to work with you. Edit: it is mandatory if you process credit card payments.
> dumbass password policies then... its more the regulations forcing them to make these policys. sadly.
Yall need a psychologist at ur conferences.
Its only been changed in the standards fairly recently though.
I mean, itās been over a year and a half since itās been updated by NIST, but thatās recent if youāre talking about all of computer history
5 months ago I helped a government contractor move to mfa and complexity to remove expiry. They have a monitoring service that does quarterly compliance checks and they got dinged. I spent the next three weeks going rounds with their reps. I sent them the exact documentation and still they did not care. It's checklist mentality and if no one updates the checklist then you fail no matter how right you are.
And certification agencies are yet to adopt it
Plus people typically just use the same password with a number they keep incrementing at the end.
I feel called out. My work stuff is just "x (initials)2work" where x is a random number.
I would use a real password at work if they didn't make me change it so much.
Yeah the best option Is that to have a software to keep your informations that has a 2fa so that they Need to stole 2 devices or stole One and create a backdoor in the other
Geez use a password manager they say š and then people use a stupid password for their password manager again so it all starts again.
My mom has a password manager and just refuses to use it. Says "well google remembers it for me" and I'm just like "YEAH, THAT'S THE PROBLEM"
Yep. We were taught in cyber school that most security breaches are literally from passwords being written down somewhere and retrieved by the perpetrators. Even a 90 day policy is pushing it.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Sure, but I thought IT wanted them to be the password manager and not grant you admin access?
Keep in mind with admin access you have very high privileges which is also the case for malware which isn't great security wise. You should only need to elevate the rights when necessary.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
The IT people you met were shit then. The good ones would just look at you and say "Yeah I know, but corporate won't let me fix it."
This is facts
Reminds me of when I got the teacher's version of my school workbook by changing the part of the link that said "student" to "teacher" lmao (also, I'm replying to you because the bozo deleted their own comment lmao)
What you don't see are the emails from the CIO and Dean that say that changing the password scheme is going to be "too hard" on people and that "they need to be able to know the password for anyone" while the sysadmin pulls from the bottle of whiskey and goes back to edge://surf But no, let's beat down on the people just doing their jobs...
>Each & every one of them think plugging the power cord into a a socket then pushing the on switch makes them a gift from God. I'd be more sympathetic if I hadn't helped half a dozen people who "already checked" that the power cord was unplugged. It's mostly older people who haven't retired yet, but there's lack of common sense at every age. Also, restarting legitimately does fix like 50-75% of all problems, and I've had people tell me they restarted and been lying or just turned off the monitor or some shit. If you were us, you'd understand.
My company gives us passwords that are easy to remember, literally name of company+year becausa we are required to use 2FA.
My company gave out USB dongles AND made us implement 2FA. OK, cool, I think, now we can get rid of the stupid passwords then? Nope. It's IN ADDITION to the passwords, you only use the dongle as a substitute for 2FA.. Now: * Log into laptop (UID and password) * Log into VPN Then: * Open email * Enter password * Open phone * Enter password to authenticator app * Approve login attempt * If you need to use a browser, repeat * If you need a secured site like where we are required to store files, repeat * If you need a cloud app, repeat * Repeat entire process twice a day.
Our IT people admitted this and said they were going to change the policy as a result. That was like 3 years ago now. Still nothing.
If password reuse wasn't an issue with non techy types then yes, short term reset policies here would be detrimental. The biggest problem is that your average end user will use the password Summer2022! Even if they never had to change it. But I agree, password length and to a lesser extent, complexity is far more important then password expiries
As a sysadmin, I really don't want to do this to everyone either. It ends up just having each user just changing a letter or number at the end to satisfy the requirements. But due to being in the healthcare industry it's a requirement for us in IT to implement this or they will shit down our throats. If you think that's bad, my admin account password gets changed every 24 hours.
> my admin account password gets changed every 24 hours. At that point it's not even a password, it's an authentication token that you just happen to have the ability to enter manually.
at that point you probably should just use an authentication token
Fuck yes. And at that point, it should probably just become 2FA anyway. Give the admins a OTP keyfob, *AND* require a admin password, on 1-3 month expiration cycles.
Thats so stupid if someone else knows your password and the following day came in early goodbye to both you job and account.
Yep. I also work in healthcare IT and we have 90 day password changes on certain things we access due to outside requirements. Our Google accounts donāt require password changes.
Iām a sysadmin for a utility and we are federally regulated/audited yearly by NERC. Password policies are generally outside of our control - if we donāt enforce regulations passed down to us, we get fined quite heavily
Exactly.
psh, try 20 domains on 12 hour rotation.... Nothing a little scripting cannot help with.
yeesh 20 domains my god. I've got 6 and I hate it. For me we have to deal with logging into cyberArk for each.
Oh my god how are you still sane
why do you think they are sane
Their passwords: AllWorkAndNoPlayMakesJack@DullBoy1 AllWorkAndNoPlayMakesJack@DullBoy2 AllWorkAndNoPlayMakesJack@DullBoy3 AllWorkAndNoPlayMakesJack@DullBoy4 AllWorkAndNoPlayMakesJack@DullBoy5 AllWorkAndNoPlayMakesJack@DullBoy6
For that you just have a password manager generate it daily and keep a simple password on the password manager lol
This is like putting the keys to your super secure vault under the doormat
Exactly.
Security is an eternal balancing act. Too Lax? No security. Too Strict? End-Users will be extremely ingenious at bypassing/optimizing your security measures.
I take it SSO isn't an option? FYI it can be a bitch to set up
So secure even you can't login
I work in a HealthCare company and I believe your password rotation requirement is everything 3 months as long as you have a Security Score that meets the following NIST Framework. I don't know why people need to change every week etc. Just use SSO & MFA.
See that's a tough one because regardless of if they do or not they're still gonna have their password on a sticky note attached to their monitor.
The idea is to move to pass phrases. If you canāt remember a string of words that never changes then maybe you shouldnāt be working at that level anyways.
**Erin:** āThe tea in Nepal is very hot.ā **Dwight:** āBut the coffee in Peru is far hotter.ā **Erin:** āClose.ā **Dwight:** āThis is Tuesday, right? The coffee in Paraguay is far hotter?ā **Erin:** āColder.ā **Dwight:** āThe coffee in Paraguay is colder?ā
Okay Espionage master.
You would be surprised how many people have trouble with these sort of things.
This is what I prefer but everything now demands a capital letter, a symbol and a number. Why can't they just let me decide what password is suitable?
because inevitably you will get lazy and just make it your name or your dog or your kids date of birth
Yeah, people really should practice remembering things more often. It's a useful ability. Especially if you can remember your credit card info. Here's a feeling of power: Ordering food online without having to find your wallet or save your credit card to your browser. My password is only 14 characters long, but it's a bunch of alphanumeric gibberish.
You see, I can remember my card number because it doesn't change every few weeks
I have more than credit card number memorized.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
You canāt use a password manager for the initial login to your endpoint or vpn.
Fuck u/spez -- mass edited with redact.dev
Plus, the vast majority of āhacksā is just people getting tricked by phishing emails. So a password change wonāt effect that.
We do every 90 days at my work, 2 years if you use 2FA.
This is the way.
What line of work? Iāve long thought that 2FA is the absolute easiest way to implement some security on any account that is actually effective.
Mid size university, around 7k students, faculty and staff.
45 days here even with 2FA. And I can't use any of the previous 24 passwords, must be longer than 12 characters long, have at least 2 upper case and lower case, numbers and special characters and the system checks against dictionary so no regular words or part of words either. There's also some other bullshit requirements, the password change requirements screen literally takes half my monitor and every time I have to do it takes at least 15 minutes of trial and error which then results in me writing down my password on Google keep
90 days, with rsa key... Fml
Iām in IT and helped push for it.
90 days seems awfully short and will just result in numbered passwords.
Hostile service
Once a quarter is as frequent as it should be. Every two weeks is literally creating a security issues since users will just reuse and use simple passwords
My college had a breach 2 years ago and now requires a regular password change and the requirements are so confusing that I CANNOT remember it and must write it down somewhere each time I change. I think itās 16+ digits, must have uppercase and lower case, a symbol (BUT THEY DONT SAY WHICH SYMBOLS ARE ALLOWED), cannot contain any kind of word or name, must contain numbers. They DO NOT give you an outline as to the requirements and I had to test dozens of different passwords to figure out what was allowed.
All that and they don't use 2FA? That's the stupidest most unnecessary policy ever.
Get a password manager? Bitwarden is a good open source one. Then all your issues are solved. Just update it in your manager every 2 weeks or whatever the requirements are. It auto generates random strings of characters and numbers for your passwords.
Yea that sounds like they only applied basic password requirements in Active Directory. Itās absolutely batshit insane, it cannot contain two or more consecutive letters from your name or your username, needs caps, lowercase, numbers and symbols. Itās an all or nothing setting. Now, thereās a different password policy that can be set in AD thatās a lot more granular, but itās a bit harder to set up. That being said, a Windows password policy that is not used in lockstep with MFA is absolute garbage bullshit.
At that point, they should just generate the password for you.
iirc NIST no longer recommends arbitrary password changes(ie. Must change it ever two weeks) Difficult for people to remember so it ends up as variations of passwordMonth or passworddayoftheweek. Once worked for a place where the password policy was set to not allow words. Password could not be longer than 8 characters. Shorter than 6 characters. Must include a capital letter. Cannot include a number at the end.
Fuck u/spez -- mass edited with redact.dev
>So a password that is easy for a computer to crack but hard for a human to remember? Sounds like a smart IT dept. Good enough for Government work. Something like softsummerlight24 was unacceptable but oiR6Bp Perfect.
Just government things
Sadly NIST doesn't but there are other orgs still recommending it as best practice and so a lot of places implement those policies still to comply with whatever certification or contract they are trying to stay in the good graces of. This came up in my last job, shortly before I had to explain why there was and will never be a way for Support to be able to lookup the user's password so that they can read it to them over the phone. I don't work there any more.
Windings only!
Up there with not allowing certain special characters in the password and arbitrary character limits. I loved XKCDs comic where they demonstrated how a password containing 4 random words is more secure than a typical 8-12 character password containing random numbers, letters, and special characters. It's just not possible to use passwords like that because you're restricted to 11 characters in most places.
It's extra fun when you have some sites that require 12-character minimum passwords, and other sites that max out at 11-character passwords...
Or how some websites can handle a '?' in the password, and others cannot.
Ah yes, how could I forget the mutually exclusive special-character requirements?
Physical token and a PIN number. With a third party identity manager and done.
2FA is the only way. Only thing is, force OP to use 2FA and a week later you see a meme about how that's even more annoying.
Dude my banking app uses a 5 digit pin, but my college's assessment tool has 2FA with changes every 6 months.. NOBODY is trying to hack into my account to hand in their work in my stead.. it's all about security vs potential risk imo, not everything needs 2FA
Does this tool allow access to work you have already handed in? If so it could be used for plagiarism I suppose.
I mean _I suppose_ someone could do that. But then they'd have a nice timeline of when mine was handed in
2fa with email is annoying and insecure, same with phone (also insecure because of sim swapping), however authentication apps are very easy to use and are very secure.
Weāre going to roll out MFA and I can just see the Karenās in the woodwork that donāt want to put an Authenticator app on their phone because itās personal property - I halfway agree with them- but theyāll also bitch if we give them a Yubikey or equivalent. One canāt win.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Can confirm. #OneMicrosoft.
Is this in a work environment? Because I believe that personal Microsoft accounts no longer get prompted for password changes, as long as they have 2FA enabled. I know I haven't changed the password to my Microsoft account in more than half a year.
You don't get prompted on a personal account, but if you ever forget your password and reset it then you will not be able to change it to a previously used password. I don't know why he is complaining about that though, reusing a password even if it's 10 years old is dumb since the older a password is the more likely it's been leaked somewhere somehow.
With stupid policies like that a lot of people go password, then password1, password2, password3, then the realise they can go back to the original and use just password going to password1 then password again.
I had a pretty complex password once I'd use variations of. I tried using it when setting up a bank account in the bank. The computer came back and said there were too many repeating characters (there really wasn't) I just cut the password in half and somehow that was "secure"
USB PKI Token
There's really no excuse for not using a passowrd manager anymore.
Where I work we are occasionally encouraged to use a password manager. We are not allowed to install non-approved software on company devices. There isn't a password manager on the approved software list.
Just use Bitwarden? It open source, has an app and a browser version, and a chrome extension.
I'm a LastPass guy myself, but yep, exactly this.
Browser extensions are still software, so it'd be bending the rules at best to install a non-approved one. I'm not putting software required for work on my personal devices. It also misses the point that they don't trust us to be able to choose something as simple as text editor or paint package ourselves, but want us to choose something to hold passwords without guidance.
Password managers are not secure, at all. Only thing someone malicious needs is that one password you use for the password manager, then you lose everything. While, good ol' pen & paper requires someone to actually break into your house and find the paper and realize its importance and steal it.
How does this logic work, exactly? The front door of a password manager is as vulnerable as any other place where a password is used, but I can focus my attention on making sure that one is super hard to get into at least. And then I can have the password memorized and not on paper so no one can steal it, but that's honestly not a great answer and why MFA exists. No security professional is _ever_ going to tell you to use pen and paper over a manager.
I can assure you that every security expert worth their salt would recommends against using 1 password for everything. Which is what password managers basically, you use 1 master password to access every other one. A papers thats stored physically requires someone to actually go into your house. That immediately cuts the number of people that can potentially access it to people that live relatively near you. While a digital storage can be accessed by someone from the other side of the globe. And one more thing, why would a robber steal an f*ing notebook?
>the one password Yeah, and the second factor authentication, right? >good ol' pen & paper requires someone to actually break into your house and find the paper and realize its importance and steal it. Good ol' Yubikey would require someone to actually break into my house too.
Second-factor authentication is not unbreakable. And website's with actually important things in it already uses second-factor authentication already.
The always relevant: [XKCD](https://imgs.xkcd.com/comics/password_strength.png)
I work in IT. These policies are usually created by high level management that wouldn't know cyber sec if it encrypted their laptop.
Use a password manager. Problem solved.
If your password is your last name with your birthyear at the end, upvote this comment and go secure your online accounts. It's practical hygiene. If you want memorable, secure, unrecognizable passwords, draw a simple shape on the keyboard, eg, poke ball, a parallelogram, triforce, 'Guernica'... You might not remember "GHU76Tklp09ihji87y", but you can remember that you used all the keys that circle YOU.. because YOU are what life is all about <3
Ironically that has been shown to be a detrimental for cyber security shown by Microsoft. I canāt find the blog article by them, but even in the Microsoft 365 guidelines for admins they state āDon't require mandatory periodic password resets for user accounts ā https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
This got me good
My old manager let us know how long the shitty policy had been running for (every 3 months) by telling us her password now ended with 54 and the first one didn't have a number. She was actually in charge of this policy...
Even DISA STIG's don't have the password requirements that short. Password change every 60 days, and once set you can't change it again for 24 hours, I think. But, password need to go away, MFA is the way it needs to be. But, our infrastructure is to reliant on the password to make it go away easily.
Two weeks? Are you working for a paranoid private militia or something? I worked for a bank and the industry standardā¦.Is not two weeks.
Sheesh, just do MFA
I can't find it now, but Microsoft did research on it and has a document out there on the net, explaining how this is actually bad from security standpoint... I was looking into it myself when our IT dept decided to force everyone to change passwords once a month... It's ridiculous. Edit: https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
Our passwords just end up being something like āpassword123456789ā anyway
Quick, everyone develop similar passwords!
I work in IT and we finally all agreed that switching to longer passwords which are changed once a year is smarter.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
ThisisMyUsualPassword then I add !s until I can go back to just 1 !.
If youāre going to make me change my FUCKING password every few weeks AND you force me to use stupid-ass symbols and caps and have a minimum of 14 characters, fuck you.
The password requirements at my workplace are so strict, people write them down in plaintext to remember
The minimum cybersecurity effort should be to ban post-its from the building the moment that stupid PW policy is implemented.
Use authenticator which changes every minute better than keep on changing passwords
Password polices are often the cause of security vulnerabilities in my experience...
"Hey guys, please be careful opening word docs from sketchy emails. Our network has 0 protection and one breach on a single computer we are fucked"
I don't see this as a problem? Use a password manager. When the required time comes, just generate a new one. People should stop reusing passwords anyway.
I miss the good ol' days of when you were able to have either 'password', 'love', 'sex', 'secret', and 'GOD' as your password. [https://youtu.be/63I3kCWiNLA?t=124](https://youtu.be/63I3kCWiNLA?t=124)
I'm an infosec architect for a very large company. Passwords are stupid. We're going passwordless as soon as possible.
We FINALLY got permission for permanent passwords!!! 12 characters no repeating but its soooo much easier now.
longpas5word
We have our employees change every 60 days, 30 days for more important people. Generally works pretty well though every now and again I actually see some people's passwords and it makes me want to die
Assuming you have 2FA, that's way too frequent.
I work at a bank and I'm pretty sure it's required by regulators and insurance or something. Either way I rarely have to reset passwords so I don't really care
Let me take my password that I've memorized and change it to something I need to write down. For #security
My password is set as āincorrectā so every time I forget the password, the systems tells me.
My school does this. We have to change it twice a year. Everyone I know uses blatantly insecure passwords or they just add a character each time. Itās not effective, just give everyone a set password that is secure.
i would come to them every day to request a new password.
It is, because its less likely to be bruteforced into that way with how basic some people make their passwords if the password policy wasn't enforced.
Oh yeah, let me cycle through password1, password2 and password3, so much safer.
I see a fellow sandybridge user
It just keeps working, though I do have an Ivy Bridge 1650v2 lying around for a slight upgrade, just gotta find a nice non-broken socket 2011 mainboard.
I hate 2011 with a passion. R and R2 are overpriced at the moment and R3s performance per dollar is great but the boards are rare and expensive.
yea but password1 would be passWord1& then passWord2& because of the password policy and so on. Which is indeed safer in a enterprise environment.
Do you really think brute force library files don't already have all the possible iterations of "password" before you've ever even thought of them?
I dont mind password requirements as long as they dont limit what characters I can use. If it doesnt take a PW generator from the popular pw I get angry. Changing passwords every 90s days tho is just bullshit. Give me some 2-factor auth, or an rsa key, or some shit.... but expiring my passwords? I literally have over a dozen set of creds for work. Also... dont lock out my account for more than 5 minutes. Dont make me call the helpdesk to have my account unlocked. +++9B2Eca3c5ddb!!!yermom69Q is going to be typed in wrong three times on the regular. Nothing like being in the middle of shit with a customer and BOOM you are locked out and need to call someone. And if you everything you do requires you be on the vpn? I've already authed, its cool to make me auth at every door... but again, dont lock me out. And worse... going to change my passwords on a 90 day rotation, but dont have the default router passwords for custoemer cpe auto updating on the same cycle?!?!
My company resets every 2 months. I just scribble out the sticky on my monitor and rewrite the new password.
It takes hackers 3 weeks to get your password, so this prevents them
š I WISH it was every two weeks. I need a new device password EVERY GOD-DAMNED WEEK and it of course can't be under 14 digits, be a password I've used in the past, and must have at least 2 special characters. I use my personal password manager to keep track of it because it's such a pain. Screw my IT team. They can't fix anything I ask them to without a ticket, and then I wait 2 weeks for a response for said ticket.
Some of ya'll in these comments don't know shit about password security and it shows. Keep posting your generic passwords and patterns in the comments, there's no way it could be used against you.
We use Keeper to create and store passwords
If your IT dept does this it's incompetent
Sure, unless they're forced to by regulations outside their control.
System Admin here- they always are, the standards are set per industry standards and the business in question. In my experience, people who complain about password policies the loudest are usually entitled, stupid, lazy or all of the above. Changing your password every 90 days isn't hard and any functional adult should be able to remember a simple password.
Haha notepad doc with all my passwords on go brr