This practice is not recommended anymore, yet still found in many enterprises.

  • ikidd@lemmy.world
    link
    fedilink
    English
    arrow-up
    38
    arrow-down
    1
    ·
    3 months ago

    Hell, I don’t even know my passwords. My password manager does. Sometimes I forget the main password but thankfully my fingers don’t, unless I start thinking about it.

    • Creat@discuss.tchncs.de
      link
      fedilink
      arrow-up
      5
      ·
      3 months ago

      How do you use your password manager to log into your PC. I mean with the AD password you’re changing monthly with “high complexity”? Cause that’s the actual problem scenario in enterprises.

      If someone asks me to change some normal password, I really don’t care, just like you (cause password manager), but the main login scenario just isn’t solved with one.

  • Affidavit@lemm.ee
    link
    fedilink
    arrow-up
    24
    ·
    edit-2
    3 months ago

    Password1

    Password2

    Password…

    Password28

    Password29

    Edit: Call IT to reset password costing the company money because of their idiotic password policy

    Password…

    Password43

    • wreckedcarzz@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      3 months ago

      No joke, my father used to have to do this. I set him up with a solid pw via pw mgr and then we found out that it had to be changed every 60d. He was going to just generate a new one but I was concerned that he’d screw it up and need help resetting the pw every time, so I was like “…just had 1 to the end, and do the same in the mgr; next time 2, then 3…”.

      He got to like 8 before (it appears, he stopped complaining about it) they dropped the policy. I just know that every other employee (these are not tech positions whatsoever) just resorted to “password1” and IT realized how fucking stupid that is.

      Oh and it retains your last like 5 passwords, so you can’t do “password1” “password2” “password1”. Brilliant.

  • Varyk@sh.itjust.works
    link
    fedilink
    arrow-up
    21
    ·
    edit-2
    3 months ago

    oh i didn’t know that, are companies finally realizing that creating and trying to remember new passwords causes more trouble then keeping one really good password?

    • slazer2au@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      5
      ·
      3 months ago

      Only on accounts that have MFA is password rotation no longer recommended.

      If the account is non MFA protected password changes are still recommend.

      • Varyk@sh.itjust.works
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        edit-2
        3 months ago

        really? what’s the standard for that? like how often should you be rotating your password?

        I assumed many people forget their new passwords (because I often do) and become compromised than are protected by continually rotating passwords.

        • slazer2au@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          3 months ago

          It’s one of the updated NIST recommendations, I don’t recall which one but it specifically calls out no password cycling for MFA protected accounts.

    • RecluseRamble@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      13
      ·
      3 months ago

      Just add a number suffix and increment it each time. This doesn’t exactly make your password any stronger but that’s not what they’re asking for with their stupid policy.

      • YerbaYerba@lemm.ee
        link
        fedilink
        arrow-up
        6
        ·
        3 months ago

        My company tracks the first and last character so you can’t do that. Personally I change a single character in the middle of my password to work around this.

        • pivot_root@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          3 months ago

          Error: Your password’s Levenshtein distance indicates that your new password is more than 20% similar to a password previously used within the last 10 years.

          Policy requires your password to:

          • Be unique
          • Have at least one uppercase letter
          • Have at least one lowercase letter
          • Contain 2 symbols other than apostrophe
          • Have 4 numbers that are either separated by other characters, or represent an integer both greater than 3000 and not ending with the same last two digits as the previous or next 17 years from the current date.
          • Include exactly one Cryllic character
          • Exceed no more than 18 characters

          /satire (I hope)

  • Aeri@lemmy.world
    link
    fedilink
    arrow-up
    15
    ·
    3 months ago

    I’m convinced this isn’t particularly secure because it just results in the following. Mandatory password change, password can’t be any of your last six, bla bla bla. Boom rotating stock of my last six, you happy?

    “BOB-CEMU” “BOB-MERC” “BOB-SIVA” “BOB-MILK” “BOB-CERA” “BOB-DELT”

    • The_v@lemmy.world
      link
      fedilink
      arrow-up
      16
      ·
      edit-2
      3 months ago

      Had one company where you couldn’t use the same password for 12 months, 10 digit minimum, and had to change it every month

      My very secure password series at the time.

      DumbP@ss#01

      DumbP@ss#02

      DumbP@ss#03

  • NastyNative@mander.xyz
    link
    fedilink
    English
    arrow-up
    9
    ·
    3 months ago

    This 90 days password change BS, is the worst security risk there is. Do you know how many people have Summer2024 as their work computer password because of this system? too damn many! Not to mention the problem it creates for older folks who have a hard time with the change and most times end up locking them selves out. It creates far more chaos than anything secure, which I have been explaining to my company and they still enforce it for their clients.

  • Crozekiel@lemmy.zip
    link
    fedilink
    English
    arrow-up
    7
    ·
    3 months ago

    My company’s HR system (like, time off, time clock, etc.) asks for a new password every 3 months, but it doesn’t give any fucks at all if you just reuse the current password apparently. I’ve been “changing” it to the same thing for like a year now.

    • dQw4w9WgXcQ@lemm.ee
      link
      fedilink
      arrow-up
      9
      ·
      3 months ago

      Which is often a lot more secure than requiring you to create a new password. Requiring a new password frequently leads to people making memorable passwords which are a lot less secure than a good password which is kept for years.

      A few years back, my company suffered a big cyber attack where the attack vector was the credentials of a high level user who frequently changed their password to the year and month for next password change, i.e. “2018october”. Apparently this was common enough that the attackers were able to brute force/guess it.

  • esc27@lemmy.world
    link
    fedilink
    arrow-up
    9
    arrow-down
    3
    ·
    3 months ago

    Never is too long. Monthly is way to short. I like the idea of doing it yearly in conjunction with other it security awareness and training campaigns.

    • RecluseRamble@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      8
      ·
      edit-2
      3 months ago

      Never is too long.

      Why? Frequent password changes have been shown to result in weaker passwords. What’s wrong with keeping a strong one indefinitely? I mean an actual strong one not one character more than what’s currently bruteforceable.

      • CompN12@lemmy.frozeninferno.xyz
        link
        fedilink
        arrow-up
        2
        arrow-down
        3
        ·
        3 months ago

        Forever is vulnerable to phishing attacks, same reason why monthly is getting discouraged. Monthly is weaker because the average person does slight variation, which attackers LOVE.

        • RecluseRamble@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          Frequent password changes don’t protect against phishing.

          And while a high frequency like monthly changes will probably result in even weaker passwords, also yearly changes will make people choose weak passwords.

    • ObsidianZed@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      3 months ago

      Agreed. My last job, we were forced to change all service account passwords annually but our personal passwords every month or two.

      My current job has more domains and systems so I have so many more passwords with varying complexity and age requirements. I just set a calendar event for every four weeks (one expires just under 5 weeks) and change them all to the same generated password that meets all the common requirements and I save it in my password manager.

      So every four weeks, it’s seriously this hour+ long ritual for virtually no enhanced security reason.

  • taiyang@lemmy.world
    link
    fedilink
    arrow-up
    6
    ·
    3 months ago

    Gotta do mine twice a year, always needs to be new, have a number, and a special character. It was annoying because I’m a pass phrase kind of person, but found it’s not too hard to just add the year and exclamation marks for each password change into my passphrase.

    Plus password managers exist so whatever.

      • taiyang@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        3 months ago

        Nope, has to be new and unique every time. Their system keeps every password I’ve ever had, which if you think of it, is a really bad liability if they’re hacked.

      • StrangeQuark@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        For me, no. Can’t be the same or too similar to the past 4-5 passwords and has to be 14 characters long.

        • Owl@mander.xyz
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          Oh, as a french philosopher said:

          “Never has so much spirit been put into making us stupid.” -Voltaire

  • peto (he/him)@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    3 months ago

    Man, so often do I get half way through my password to realise I’m now typing my old words.

  • DeviantOvary@lemmy.world
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    3 months ago

    We have three month password expiry policy on AD accounts, but the requirements aren’t extreme. We’d do away with it, but then we have our own CEO writing their password down on a piece of paper and giving it to us to troubleshoot their laptop (we have admin accounts for a reason ffs), after being repeatedly told not to, forcing employees to rotate their passwords suddenly doesn’t sound too crazy. People are just way too irresponsible sometimes. Plus, we need to have it for certifications, so there’s that.

      • jj4211@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        3 months ago

        Nist guidelines used to recommend rotation, and our security team would quickly point to it when people complained.

        So of course we jumped on that and security team said “well nist are just guidelines and we go for more stringent requirements”…

      • DeviantOvary@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        I would need to check (not in charge of it), but I do remember in the fat stack of guidelines we got there was the password policy of 90 days. However, the point still stands that some people have no digital hygiene and will write down and share their passwords in plain text for all to see even if we didn’t enforce password expiry. Though in all honesty, there’s no winning combination when so many don’t truly give a shit about digital security. As long as they can flaunt a certificate.

    • disgrunty@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      3 months ago

      The CEO at my last place used to forget his passwords at least once a week, would write them on Post-It notes on his desk (and lose them by day’s end).

      We had a dashboard that showed failed security and he was many, many times worse than the rest of the business combined. That man cost the business more in IT time than anyone.

      This was a bank. Granted, a small lending-only bank but still, I would never get a mortgage or loan with these people.

      They should have just put a Yubikey on his keys. He never lost those.

      • DeviantOvary@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        3 months ago

        It’s somehow always the guys in management/on top. On the first sign of inconvenience, they start complaining about all the security measures, because now it affects them personally, and they’re not here to be managed! Security is for everyone else, but definitely not them. They’re above it.