this post was submitted on 11 Aug 2024
839 points (98.4% liked)
memes
10222 readers
2328 users here now
Community rules
1. Be civil
No trolling, bigotry or other insulting / annoying behaviour
2. No politics
This is non-politics community. For political memes please go to !politicalmemes@lemmy.world
3. No recent reposts
Check for reposts when posting a meme, you can only repost after 1 month
4. No bots
No bots without the express approval of the mods or the admins
5. No Spam/Ads
No advertisements or spam. This is an instance rule and the only way to live.
Sister communities
- !tenforward@lemmy.world : Star Trek memes, chat and shitposts
- !lemmyshitpost@lemmy.world : Lemmy Shitposts, anything and everything goes.
- !linuxmemes@lemmy.world : Linux themed memes
- !comicstrips@lemmy.world : for those who love comic stories.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
One of our systems at work won't let you use the last thirteen passwords. And it makes you change it monthly.
Yeah, I'm sitting there changing my password 13 times until I can go back to mine. I already do this with our 3 month expiry, but ours only checks against the current password, not a history of old passwords.
Password expiry doesn't make systems more secure, it makes users lazily set insecure passwords to deal with your shitty mind games.
I see your "13 resets in a row" and raise you a "minimum password age".
Hello, Tech Support? Yeah, I can't remember my password... I know, this is the 13th time this week... I'll try real hard to remember this time I promise.
Any organization still doing this is a decade behind best practices. NIST published new recommendations years ago that specified getting rid of the practice of regular forced password resets specifically because they encourage bad practices that make passwords weaker.
Of course it doesn't help that there are some industry compliance standards that have refused to update their requirements, but I don't know of any that would require monthly password changes.
Where specifically could I find this recommendation so i can forward it to my IT department?
What you want is NIST 800-63b https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
Specifically sections 5.1.1.1 and 5.1.1.2.
Excerpt from 5.1.1.2 pertaining to complexity and rotation requirements:
Appendix A of the document contains their reasoning for changing from the previous common wisdom.
The tl;dr of their changes boil down to length is more important than any other factor when it comes to password security.
Edit to add:
In my personal opinion, organizations should be trying to move away from passwords as much as possible. If your IT team seems to think this system is so important that they need to rotate passwords every month, they should probably be transitioning to hardware security tokens, passkeys, or worst case, password with non-sms MFA.
Now I know nothing about the actual circumstances and I know there are plenty of reasons why that may not be possible in this specific case, but I'd feel remiss if I didn't mention it.
WorkPassword1
WorkPassword2
WorkPassword3….
JanPass.01
AprPass.04
JulPass.07
...
I only have had one coworker that didn't do this stupid incrementation thing (some salt with a bit more than a number based on some logic).
He was the guy that would take a minute or two every time he needed to unlock his computer to open his password manager on his phone and slowly type out a long and difficult to type random password that he could never memorize due to the frequency we had to change passwords.
So many delays during conversations / meetings with this guy.
I do that but I set up Windows Hello so it's quick.
PassA, PassB, PassC, etc.
Use a password inspired from dice