This practice is not recommended anymore, yet still found in many enterprises.
You must log in or register to comment.
My company’s HR system (like, time off, time clock, etc.) asks for a new password every 3 months, but it doesn’t give any fucks at all if you just reuse the current password apparently. I’ve been “changing” it to the same thing for like a year now.
Which is often a lot more secure than requiring you to create a new password. Requiring a new password frequently leads to people making memorable passwords which are a lot less secure than a good password which is kept for years.
A few years back, my company suffered a big cyber attack where the attack vector was the credentials of a high level user who frequently changed their password to the year and month for next password change, i.e. “2018october”. Apparently this was common enough that the attackers were able to brute force/guess it.
I prefer that.
I’ve changed my password 11 times since I worked at this job.
How do I know that? Because my solution has been password+1.
Gotta do mine twice a year, always needs to be new, have a number, and a special character. It was annoying because I’m a pass phrase kind of person, but found it’s not too hard to just add the year and exclamation marks for each password change into my passphrase.
Plus password managers exist so whatever.
Can’t you just have two passphrases and alternate between them ?
Nope, has to be new and unique every time. Their system keeps every password I’ve ever had, which if you think of it, is a really bad liability if they’re hacked.
For me, no. Can’t be the same or too similar to the past 4-5 passwords and has to be 14 characters long.
Oh, as a french philosopher said:
“Never has so much spirit been put into making us stupid.” -Voltaire
Every three months, man. Gets old real fast.
Every month is 3x worse.
Objectively.
Glad we are Passwordless. Now none knows me password.
Any source about why changing a password regularly is not recommended?
NIST seems to have it as a guideline for memorised secrets:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
The most prominent source is NIST, which states:
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. (source)
I found an explanation on a different site:
It’s difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).
Isnt this just bad practice?
deleted by creator
Ye this
Microsoft recommends against it since 2019. But apparently, it is still a thing.
The company I work for requires annual password changes because it is stipulated by our Cybersecurity insurance provider.
Man, so often do I get half way through my password to realise I’m now typing my old words.
My company changed the policy to increase the time between password changes. To compensate, they increased the required password length.
Neither of these policy changes were communicated to the employees. The expiry time tells you when it arrives (don’t tell me you change it before it expires, good for you if you do), but if your new password doesn’t meet the policy requirements it doesn’t tell you what they are. The support request response indicated the minimum length was three letters longer. The only good thing about this ordeal is that I get paid by the hour.
Monthly password change.
Enforced high complexity.
Sticky note on screen.Are you me
Monthly? That is insane. Let me guess, no mfa.
Correct!
Hey now, it’s under the keyboard. Much more secure there.
ProjectnameMonthYear!!
Max. 16 characters
(Still remember: if they have a password length limit, they store the password in plain text! If they do that in the backend. They can do that in the frontend too, in the browser with javascript, which is safe.)
Lemmy-UI has a password limit of 60 characters. Does that mean they are storing your password in plain text?
No, that means they don’t like DoS attacks.
Does anyone like being on a receiving end of those?
He should have said a short length limit, it’s still recommended to have a length limit of some sort (I think 64 is the official recommendation) to prevent people from doing shit like pasting the entire Shrek script as a password (because you KNOW some people will lol)
I think they could also check that length with Javascript in the browser. Dont know, you should ask the devs.
You are right and that’s exactly what happens in your 16 char example.
Why would you say that? Services are able to require special characters, variable casing and numbers. Why would the reqirement of max length of the password cause the storage to succumb to plain text?
This simply depends on if they do that in the browser with Javascript (good) or on the backend.
So yes, the statement that I copied from someone else is not always true.
Hell, I don’t even know my passwords. My password manager does. Sometimes I forget the main password but thankfully my fingers don’t, unless I start thinking about it.
How do you use your password manager to log into your PC. I mean with the AD password you’re changing monthly with “high complexity”? Cause that’s the actual problem scenario in enterprises.
If someone asks me to change some normal password, I really don’t care, just like you (cause password manager), but the main login scenario just isn’t solved with one.
Mobile device. Read and type.
This guy: 😎
Yeah, but I’m more used to them saying “occasional overtime” when they mean “5-10 hours mandatory overtime, unless it’s actually busy, because we refuse to hire enough people to fill all the open positions.” Because there’s nothing smarter than giving all your sales staff enormous bonuses while the grunts on the floor are over 6 months behind for lack of adequate staffing.
Did you reply to the wrong post?
Password1
Password2
Password…
Password28
Password29
Edit: Call IT to reset password costing the company money because of their idiotic password policy
Password…
Password43
No joke, my father used to have to do this. I set him up with a solid pw via pw mgr and then we found out that it had to be changed every 60d. He was going to just generate a new one but I was concerned that he’d screw it up and need help resetting the pw every time, so I was like “…just had 1 to the end, and do the same in the mgr; next time 2, then 3…”.
He got to like 8 before (it appears, he stopped complaining about it) they dropped the policy. I just know that every other employee (these are not tech positions whatsoever) just resorted to “password1” and IT realized how fucking stupid that is.
Oh and it retains your last like 5 passwords, so you can’t do “password1” “password2” “password1”. Brilliant.
oh i didn’t know that, are companies finally realizing that creating and trying to remember new passwords causes more trouble then keeping one really good password?
Only on accounts that have MFA is password rotation no longer recommended.
If the account is non MFA protected password changes are still recommend.
really? what’s the standard for that? like how often should you be rotating your password?
I assumed many people forget their new passwords (because I often do) and become compromised than are protected by continually rotating passwords.
It’s one of the updated NIST recommendations, I don’t recall which one but it specifically calls out no password cycling for MFA protected accounts.
I have over 500 passwords in my password manager. I don’t know what I’d do without it.
I’m convinced this isn’t particularly secure because it just results in the following. Mandatory password change, password can’t be any of your last six, bla bla bla. Boom rotating stock of my last six, you happy?
“BOB-CEMU” “BOB-MERC” “BOB-SIVA” “BOB-MILK” “BOB-CERA” “BOB-DELT”
Had one company where you couldn’t use the same password for 12 months, 10 digit minimum, and had to change it every month
My very secure password series at the time.
DumbP@ss#01
DumbP@ss#02
DumbP@ss#03
Hey! You lied! None of those worked just now. Tell us your real password.
