• Blahaj_Blast@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    47
    ·
    1 year ago

    No shit, I saw some password rules recently.

    15 character minimum

    Must change every 90 days

    Cannot be one of the previous 24

    Like, what the hell?

    • hactar42@lemmy.world
      link
      fedilink
      arrow-up
      46
      ·
      1 year ago

      Must change every 90 days

      It has been 6 years since NIST told companies to stop doing this. And I’d be willing to bet there are more companies still mandating this than ones that don’t.

      • LazaroFilm@lemmy.world
        link
        fedilink
        English
        arrow-up
        26
        ·
        edit-2
        1 year ago

        My old job had that policy. I decided I would not try to remember my passwords. Instead I had I.T. on speed dial and I would just call them daily to change my password to the one I liked. They hated me. I don’t work there anymore. For unrelated reasons. I think.

      • henfredemars@infosec.pub
        link
        fedilink
        English
        arrow-up
        19
        ·
        edit-2
        1 year ago

        I wish I only had to change my passwords every 90 days. That would be a dream.

        I’ll just have to refer to the unofficial password sticky note that everyone in the office shares containing all the usernames and passwords, and the date on which they were last changed, that was started less than a week after the password change policy.

        It’s hilariously insecure, but we just can’t deal with the password load. It’s too much work. We’d sooner be fired if we had to comply with the password policy.

    • vrojak@kbin.social
      link
      fedilink
      arrow-up
      31
      ·
      1 year ago

      …and that, dear admins, is how you get passwords such as fuckthisrule#54, with the number increased by 1 every 90 days.

      • bloopernova@programming.dev
        link
        fedilink
        English
        arrow-up
        10
        ·
        1 year ago

        And that’s how you get rules put in place to not use a password that’s similar to your old passwords. (I don’t agree with such rules, just to be completely clear)

        If you are forced to use long passwords, use book titles, song titles, character names, album names, TV show names, etc etc.

        Examples: WutheringHeights$!5, ThePrisonerOfAzkaban:29, TheCountOfMonteChristo33&&

        Of course you can put the numbers and symbols anywhere, not just at the end.

        • PM_Your_Nudes_Please@lemmy.world
          link
          fedilink
          arrow-up
          30
          ·
          edit-2
          1 year ago

          If they’re able to determine that you’re using a similar password, it’s because they’re not hashing your passwords and are storing them as plaintext. You should run far far away from any site or service that is able to enforce similarity rules. Because when you properly hash a password, even a minor difference such as upper/lowercase will produce a wildly different result.

          • bloopernova@programming.dev
            link
            fedilink
            English
            arrow-up
            19
            ·
            1 year ago

            I’ve been wondering about that. I think they get around it by using the “enter your current password” prompt, so they potentially have it in cleartext for the duration of the session.

        • funkless_eck@sh.itjust.works
          link
          fedilink
          arrow-up
          5
          ·
          1 year ago

          it’s better to use poems. I’ve done Hamlets 2b monologue, View From Westminster Bridge, Tell the Truth but Tell it Slanted, The Raven, Iago’s Many a duteous knave, Louis the Dauphin’s I am too high born to be propertied.

          Or really any poem you happen to have memorized.

      • tb_@lemmy.worldOP
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        My company tried disabled Windows Hello/pin for some people. Which means you have to use your main Microsoft password to unlock your computer.

        Which means people are going to leave their laptops unlocked or (more likely and) use a simpler password for their main account…

        Such a baffling decision. They reversed course on it though. I think…

        • Infernal_pizza@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I can kind of see the advantage to disabling it, we started using Windows Hello recently and while it’s mostly been good we have seen an increase in the amount of people forgetting their Microsoft password since they no longer need to use it to sign in every day.

    • starman2112@sh.itjust.works
      link
      fedilink
      arrow-up
      17
      ·
      edit-2
      1 year ago

      Just change it on the first of every month

      FuckThisCompanyJanuary23

      FuckThisCompanyFebruary23

      FuckThisCompanyMarch23

      FuckThisCompanyApril23

      And so on