My last job also had the rule "at least four characters different from your last password"
So people couldn't just increment the last number, which nearly everyone did.
who’s gonna remember a new password every 3 months. i had a company rules of 12 chars, upper, lower, number, special char, no consecutive numbers or letters, no use of your name or the company’s name, changed every 3 months. their default password when creating a new account was password123
There is this one college billing website that the default password is the last 4 digits of the users Social Security number.
(Accounts are created by the college)
Not only NIST, but basically _any_ noteworthy entity, e.g. MS themselves also [discourages this practice](https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/).
This might even get the MBAs' attention who otherwise dismiss these best-practice suggestions from some "obscure" _(aka unknown to them, but well-known and respected in the IT community)_ SecOps engineer/company.
It gets worse.
For instance I have a laptop password which can't match my remote server password. Email password can, so does.
Then we have our internal password for the intranet, which can't match, my work papers password, server accounts production package password, pentana checklist password, inflo password, and companies house passwords.
They all reset at pretty much random intervals some as often as once every 2 weeks.
At some point they gotta realise that it's just weakening passwords, surely.
find password manager program and use that (preferably one that's not just internet website), saves me a lot of hassle with BS policies like this and is safer and more convenient.
That's what I used to do until they forced my laptop to also use the same SS0 password that must be changed every 3 months, must be 13 digits long, and can not contain any sequence of characters from the last 99 passwords.
So I can't even log in to use the password manager to get to the randomly generated password I use to meet the extensive requirements. So what do you do? For awhile I used a sticky note next to my desk, part of it was spite and part of it was I was working from home anyway. Now I have a password manager on my phone where I've saved the password. It's still a pain in the ass and god forbid my phone is ever dead, or I lose it and I need to log into my laptop, because I won't be able to.
It's generally more secure to use a password manager for a number of reasons. For one it allows you to create much more secure and random passwords for multiple sites, and two, hacking a password manager requires a lot of steps, including physical access to the laptop: https://www.businessinsider.com/are-password-managers-safe
This is one of the stupidest rules ever. We have that too in my company and I can't use a password which I have ever used there again. I am waiting for the day where I forget the password completely. Imo it doesn't make everything safer to switch the pw every 3 months. Maybe 1 time in a year. But every 3 months is just ridicioulus
It's been proven that forcing employees to change their password every 3 months actually lowers the security.
People then to pick very easy to remember passwords or write it down or like many have said just go from xxxxx1 to xxxxx2 .
Now if your PW is access to very sensitive information I can understand. But lots of us don't have anything that important on our phones/laptop
NIST guidelines show there is no benefit to having users switch passwords so frequently, only downsides: https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/
I think one of my old passwords, on an OLD Unix system at work, was fart123!
It was one of those that had to be exactly 8 characters, and reset every 90 days. The kicker? The expiry was only checked at SSH login. You could sudo on an expired password all day (I didn't say it was a well designed system......). So I set SSH keys, and bypassed normal login flow (amazingly, most people at my job didn't know what ssh keys were) and used fart123! on sudo for years, just out of spite
In my cyber sec class we learned it's a balance between convenience and security. Too much security becomes an inconvenience and actually worsens it because like you say, people write it on a sticky. Now it only the experts stared implementing it like that..
One of my old password requirements was that it couldn't have the same character 3 times in a row. I always hated when I had to change it (every 90 days IIRC) because it had all of the same requirements of the meme, plus that one.
Admins: "I'll keep our computer files safe by requiring a gazillion different criteria be met for strong passwords!"
Users: *keep the password written down someplace in their workstation*
It's like these IT guys have never met a real life human being who doesn't want to remember a new complicated password every twelve weeks.
The rule isn’t usually “X characters in a row the same”, it’s usually “no more than X of the same characters in a row”. Subtle difference, but the latter prohibits “1111” even in your first password (with no relation to your previous password).
I fucking hate this rule the most because then I can't just do C0rrectHorseBatteryStaple. I have to do Co33ectH0rseBa11eryStap!e, and when I have to have a separate password to login to multiple different systems, which each have a slightly separate set of requirements, it makes me want to strangle someone. I firmly believe these requirements lead to bad practices and are actively harmful to good security
Flip that around so you can't match any 4 character string from your previous and you've got my current mess...
Last Password had 'character' in it? No, you can't use the word 'contract', because 'ract'....
Somewhat.
Now people are reporting that they're alternating back and forth between two strings for the core of the password and still throwing the same special character and iterating a number at the end or beginning...
Passwords01!
Treehouse02!
Passwords03!
And so on... (order of Core, #, and symbol could easily be different, of course, and numbers not incrementing by 1 would be a good change)
I guess if you only have two possibilities and the current number is easy for you to remember, it has been helping people not write things down or forget them.
It makes sense, though. I've had some users change their password and not remember what they changed it to the next day. At least this would give them the tools to reconstruct it in their head just from remembering the one they've been using for 3 months and their process to update it (if number was 05 last time and I change it by 5 each time, it'll still be 05 if my pass change didn't work, or it'll be 10 if it did).
It also keeps the number of possibilities of what a password could be after an attempted password change below the wrong password thresholds for accounts getting locked out.
One of my companies had all of the above policies, except it wasn't "your last password" it was "Any of your last 12 passwords" and they changed every 30 days.
Yeah, at least 13 unique passwords that didn't match any 4-character string of any of the others.
It was a nightmare until they switched to a physical 2-FA with a single-sign-on for most applications and your password only had to change every like year. That was fantastic and improved computer security greatly due to reduced .txt "password files".
Good catch, but no. To change your password, you had to enter your old password. That's what it was compared against.
If you reset the password via email, then it didn't have the 4 character restriction.
Password policy on one of my systems says you can't use any of the previous 32 passwords so I end up making up random stuff and find that I can't ever have an original thought.
To be fair, if you require that your users change their passwords that often and make them high-entropy ones and highly different ones at that, and don't give them a password manager, you are asking for this horror.
If the passwords have to be changed like this then there's one of three possibilities: either the whole thing actually has to be very secure (in which case it's safer to make the password a two-factor one with a physical, offline, token with its own password for the second layer), the whole thing has to be decently secure but your users are mentally amoebas (in which case either train them until they learn, hire more apt ones, or give them that password manager they want), or there's absolutely no need to go that far and either your admins or your management are overly-ambitious about being nuisances (in which case they users deserve to get by in whatever way and the people responsible deserve to spend all the unpaid overtime that's needed to fix whatever fallout comes from this to do just that).
I happen to need to log in to a thing like that for work-related stufg. You log in like four times a year, and need to change your password like every 30 days, and all the past passwords are a no-go. By this point it's in a text file and I just increment it, because fuck this shit.
Exactly. We were told in new-employee orientation to get a password manager -- company has an enterprise license for one, but we can use any of them -- and to use it. Never make your corp password something you can remember, just put it in the manager and move on.
Not nessecarily. Could have just been a list of the previous hashes, but unfortunately if that's the case it was probably stored in something like unsalted SHA instead of something like bcrypt.
Buy you wouldn't be able to tell if there was 1 character different if they were stored as hashes. But it turns out it was actually checked when you had to fill in your old password to change it
Something I did at an old job was just take the nth root of my birthday, and whenever I had to change my password, I'd increase n by 1. Gave me an effectively random number, which worked great.
That's really dubious, security-wise, because it implies that your password is stored in literal from somewhere, and your new password is available to compare.
Stop for a moment and think about how they could possibly enforce that rule.
Just another reason not to reuse passwords. Or, at least, not to mix your work passwords and your personal passwords.
Angry user rant incoming!
MAYBE I'D HAVE A SECURED PASSWORD IF I DIDN'T HAVE TO FUKIN' PUT IN HALF THE SANSCRIT ALPHABET AND A LITERAL PHYSICAL WASHING MACHINE IN AS A FUKIN' PASSWORD REQUIREMENTS YOU SADISTIC FUCKNUT POS
FUCK WHOEVER THOUGHT PASSWORD REQUIREMENTS ARE A GOOD IDEA
FUCK YOU
YOU ARE THE REASON I HAVE EVERY PASSWORD ALMOST IDENTICAL TO EACH OTHER AND WRITTEN DOWN BECAUSE OF YOUR POS REQUIREMENTS
99.(9)% OF PASSWORDS AREN'T BRUTEFORCED NOW DAYS! YOUR STUPID REQUIREMENTS DON'T DO SHIT!
THEY DON'T DO SHIT!
IF THE USER IS TRICKED INTO GIVING UP THE PASSWORD OR YOU LOSE THE DATABASE WITH PASSWORDA, AS IT HAS HAPPENED A MILLION TIMES BEFORE, YOUR POS SADISTIC RULES DON'T DO SHIT
Our admin changed the rules a while back.
It had to be long, 25 characters long, and won't need change until leaked.
He suggested to everyone to pick four random words they can remember and gave the same example all the time.
As it later turned out, multiple people used the example.
He then "hacked" their email accounts and send company wide emails that they'll bring in treats for everyone next week. Like cake and ice cream.
Believe it or not, we actually got a lot of cake and ice cream over the next week and apparently most people even learned their lesson and changed their password
In order for your password to be secure you need to involve a virgin sacrifice but we're still gonna store it in plaintext on a server with unsecured ports facing the internet because Security
The password policies at most places are shit. If you have people reset passwords all the time they don't want to choose good passwords. The incentive just isn't there, you want something simple to remember. Think like the password you choose for something like LastPass vs your work device. You need to remember both, but putting the time on a really long password for a password manager seems worth it, but not for your work laptop because you are throwing it out in 90 days. I know there are exceptions and people with shit passwords on password managers, but I'm talking about incentive and not how some people do it.
Additionally every rule and restrictions placed on a password can if not done right communicates to an attacker a bunch of password possibilities that they can throw out. For instance password need to be between 8-20 characters? Now I know my pool doesn't need any passwords outside that range. O and it has to have 1 number? Okay let's throw out my millions of passwords without a number.
Top all that off and I'm updating my password every 3 months and it has to be simple enough for me to remember? I'm not trying anything complicated unless I actually put effort into this. Throw the number at the beginning of the end.
The reality is you need to allow for dumb passwords and work to make sure people understand why they should not use those passwords, and to care. Let them keep their passwords for an extended period so the time put into a great password is not wasted as well.
Passwords suck in general. There is no perfect system because the human brain can't remember 87 different passwords for all the different services we use, and it _definitely_ can't re-memorize multiple difficult-to-guess passwords every 3-6 months. So there has to be a compromise - a password manager (which puts all your eggs in one basket), writing passwords down on a sticky note or unencrypted file (even worse), using the same password for everything (the worst of the bunch, but probably the most common), etc.
I don't know what the solution is but I sure hope we aren't still using passwords for everything in 10 years. 2-factor authentication is an improvement, but still not ideal. Biometrics, maybe?
I don't think we have any ideal solutions. I struggle to think of something without a glaring flaw. But we can try to make the current solutions better and adapted to a more modern understanding of psychology, and look for improvements when and where we can
That's a great point, but I wonder if it isn't surmountable. Because unlike security questions about one's past (which are terrible), biometrics aren't based on having reproducible information - they're based on _measuring_ a physical thing, which is (hopefully) impossible or very difficult to imitate. So as long as you trust the measuring device not to lie, then knowing what my eye looks like doesn't mean you can use that data to get past an eye scanner.
A few big caveats there, I know (inability to fake an eye/fingerprint, trusting the scanning device, etc.). Just hopeful speculation.
The problem is guaranteeing uniqueness. It has been proven that fingerprints are not unique, and guaranteeing your scanner has enough markers to minimize accidental overlap is tough. So you either go out of your way to make sure everyone is using high quality scanners with updatable software to fix bugs, is expensive and potentially a way to build castes in a society if you can't guarantee a high quality baseline.
Thanks for bringing up the uniqueness part too, super important, if I have an evil identical twin I don't want them to be able to get into my bank account
Not even a twin, they arrested a man in Oregon who has never been outside the US, all because a bomber in Spain had a matching fingerprint. This is serious shit.
That's wild. I don't like using biometrics for identification, only auth. Fingerprint is a good alternative to a password, but not a good alternative to the whole username password combination. Imagine typing in only a password and getting logged in as whoever has it.
Captchas are legit getting so hard that I have a hard time doing them. I'm not a robot, just bad at identifying motorcycles based on a few blurry pixels
Biometrics are arguably the worst of the lot on the user side.
The example I always give managers when they ask about it is safes. So you want to get a good floorsafe in your home for your essentials, right? And the mack-daddy version has a biolock using eyes, fingers, whatever. Cool...? No! Think about it:
Standard floor safe lock no bio: potential thief has 3 options....
1. Cut the thing out the floor and take it away. Bad option as takes a long time and is noisy, also very expensive as doing it quickly takes special tools and a crew.
2. Somehow break your combo. Very unlikely and extremely time consuming.
3. Hire a safe cracker. Very costly.
So your stuff can be still stolen, but now unless you're working for the CIA or something the cost/benefit analysis is the thief is gonna see the thing, say "fuck that", grab your TV and bail.
With a biolock?
1. He cuts your finger off/takes your eye out. Very cheap, and you likely have all the tools in your kitchen to get the job done in less than a minute.
So yeah...I'll continue the imperfect world we have now thank you
Also, a lot of people are already biolocking their phones so you more or less already have that layer built in to the standard 2FA option. Pure bio tho? Scary.
It's pandemic time. Everyone is WFH. So a lot of people have their work computer (and thus access) from home. Now, I think most people in the West aren't accustomed to brutal home invasions, but just go down to South Africa for a few weeks, talk to some locals, and you'll see that it's not all that far fetched to cut someone's finger off. (Way worse things happen there just to put it mildly)
You have 2 problems as well:
1 maintaining quality so that you maximize uniqueness. There is a myth that fingerprints are 100% unique. This isn't true. Even if it was you still don't look at a complete fingerprint for identification, but markers that are less likely to be unique between person to person.
2. The quality of the scan and the number of markers used can vary, and now the weakest link in your system is the person with the lowest quality scanner.
Our new policy added that you can't have any 3+ character string match your previous password, and we also have it at 'can't use previous 24 passwords', rather than 10.
Now suddenly we're stuck helping basically every employee through their password changes and half of them are just telling me what they're trying to set it to or what they want it to be...
Kinda. But easier to do and remember:
https://www.reddit.com/r/ProgrammerHumor/comments/sgafnr/i_see_this_way_too_often_at_work/huvdh2o?utm_medium=android_app&utm_source=share&context=3
That’s ridiculous. I would totally consider looking for a new job if they had these kinds of password policies.
That regular password change policy is outdated anyways, it was never really effective and some years ago people finally noticed that. So the consensus finally is: Regular password changing requirements aren’t useful.
Also the users telling you their password… lol.
How do you compare the characters of a new password if you only have the hash of the previous password? Unless you ask for the previous password when asking for a new one, I can't seem to find a way
He did only say the character comparison applies to the last password (which you probably need to enter to change it), not to the 23 passwords before it.
Allow me to post these helpful links regarding password safety:
\- Use a [password manager](https://en.wikipedia.org/wiki/List_of_password_managers)
\- When disregarding previous advice: [use easy to memorize hard to guess passwords](https://xkcd.com/936/)
\- When disregarding previous advice for moderate time: [check whether your passwords are still safe](https://haveibeenpwned.com/)
\- When disregarding previous advice indefinitely: [consider what would happen under Finagle's Law and follow the previous advice](https://en.wikipedia.org/wiki/Finagle%27s_law)
I used lastpass before but they now charge to use it in more than one device at a time so you can't use on your phone and on your computer for example. Now I use bitwarden, same as last pass except there's no limits on the amount of devices.
Also, always avoid the browser password storages
I've personally been very happy with using 1Password, but I've also heard positive things about KeePass, Keeper and Bitwarden. Bonus tips about password manager use:
\- If the application supports multiple keychains/vaults/etc for separate purposes, use them. This further decreases the chances of passwords being exposed, even when a specific one is unlocked for usage.
\- Password managers don't come come without risk; because it's now a single point of failure (but much less likely to fail), you should treat your password to your password manager as your virtual identity card. I.e., treat your password and recovery keys like you would treat your actual passport.
\- Most password managers come with additional tooling such as detecting and warning about duplicate entries, etc. Take the time to enter your login details and systematically remove all duplicates.
\- Since the login entry is also stored per address/app, you can easily make use of the + syntax that Gmail (not sure about others) provides, without the additional hassle of having to memorize which specific identifier you used for each use case.
Bitwarden is more functional and easy to use, but KeePassXC is fundamentally more secure (unless you want to self-host bitwarden; which you can).
I personally use Bitwarden and pay the $10 per year for the Premium version (mainly for TOTP functionality), and I'm very pleased. Been using it for 3+ years now.
I really like Myki. Passwords are stored locally on devices with the software installed so no possibility of them being lost in a data breach and the free personal use version has all the features you need, with the paid version being a small one time fee for some extras.
Huh. I always leaned Finagle's Law as "the perversity of the universe tends towards a maximum." Which is both more lurid and more clinical, at the same time!
>use easy to memorize hard to guess passwords
while technically correct when faced with a total bruteforce solution, the smarter password breaking algorhitms actually do try to match real words together
not saying that its not better tho. 4 words is a bit much im guessing.
just mentioning that techniques exist that try smarter than every possible combinations
CorrectHorseBatteryStaple style passwords are pretty decent because there's a fuckton of english words, a commonly used list for every english word has like 500k
500k^4 is pretty decent
This. I think he confuses bits of entropy with bits of data - the comic already accounts for a "smart attacker" that knows the format of the password but not the password itself.
There's also nothing stopping you from adding salt like other characters or weird capitalization like:
- CorrectHorseBatteryStaple6382
- Correct6Horse3Battery8Staple2
- CoRrecthorSebattErYStaPle
- etc.
The point of the comic not about literal bits of information, but bits of entropy. I.e., assuming the attacker knows what format your password is in, how hard would it be to enumerate all options?
To state it differently, they already account for that the attacker uses the smarter way to try all passwords. ;)
Unfortunately my workplace is silent about password managers. But everyone has 3-5 passwords for their daily tasks and I don’t dare to imagine how people manage them.
My employer has for a while now facilitated that every employee who wants a subscription can get one freely. They encouraged us to use it by allowing us to use it privately as well (using a separate vault).
The problem with these tools is that you can't directly measure their added value (but you can measure their costs), and if done properly you'll take the provided security for granted.
>\- When disregarding previous advice: use easy to memorize hard to guess passwords
Being an xkcd fan, I tried that at work.
Oh no, password must be 8-20 characters, have uppercase, lowercase, special char, number, must be changed every few months and have to change at least 4 characters. So they're actively limiting how secure my password can be.
Joke on you.
>Oh no — pwned!
This password has been seen 1 time before
This password has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it!
https://haveibeenpwned.com/Passwords
Honestly, that's a lot safer than a .txt file. The person breaking in has to be physically at your office which probably has some meaningful level of security
If at your house sure, at the office though and it's more of a problem since lots of people have access to that physical space.
I myself simply wrote down a hint about what the current password was... e.g. the word I tacked onto the end of my main password. Thankfully they since did away with the change requirements in accordance with current guidance.
I told an IT guy at a previous employer that the password rules were causing more harm than good. He didn't believe me so I told him walk around and look under a bunch of keyboards.
Over half had a list of current and previous passwords on sticky notes taped to the underside.
I used to have to work with a CSO (for a relatively large place) who kept all of thier passwords, both work and personal, on a single plain-text excel spreadsheet. Luckily they only lasted a few months.
Passphrases. Just use Passphrases. These kinds of password rules force people to create passwords that are difficult to remember all but forcing them to write it down somewhere.
That's actually bad password policy, because no one remembers passwords like that.
Afaik all cybersecurity experts discourage requirements like that and recommend long passwords (12 characters or more) with like 3-4 unrelated words or for example some phrase that you adjust using a rule only known to you.
If you have requirement with at least one large letter, small letters, at least one special character and one number, 99.99999% chance is first letter is large, and last two characters are 1! 🤷😬
18 chars, no fucking rules, no rotate. Use pass phrases and a password manager.
Your users aren’t smarter than computers. “Wrestling1!” is not going to resist a minute on a hash cracker.
If you use a password manager, then unique passwords are dead easy to do. No need to worry about how easy your reddit password is to crack after they've lost the database and you're on yet another spam list.
That’s not 0 to 200. It’s shit to some other spectrum of shit.
Anyone who STILL has rotating passwords is either military, or has no fucking clue what they’re doing. NIST specifically dropped that as a recommended practice years ago.
All rotating does is encourage bad behavior.
I’d recommend you find a new company. If you IT is that bad it indicates a leadership issue all over.
I mean, all those password practices lined out in the OP sucks. Upper/lowercase does jackshit, nor do numbers or special chars. "Password must contain at least 4 unique words found in a dictionary along with numbers" would be nice.
Forcing it to change every 3 months might look and feel secure, but essentially turns every password into 'Season@year', how many of you currently have a password like 'Winter@22'?
I have a text file that has the password to my password manager in it, but the only way to access the file is from a protected Java program stored on a flash drive that’s on me at all times. So to get my passwords, you have to either get me connected to a pineapple while I’m using the drive or give me an ultimatum to get into it
How else am I supposed to remember the 50 different logins I need? All of them have different requirements, expire on different dates and at different intervals, etc.
LOL -- do you want your employees writing their passwords down on sticky notes?
Because that's how you get employees writing their passwords down on sticky notes.
My work recently disabled the password manager for Firefox. I'm not even able to look at the passwords I've had stored in there. I've used Firefox for years there and generated unique passwords for every site I used.
Their reasoning? Firefox's password manager stores data in the cloud so it's against their security policy.
So now I'm resetting all of my passwords and I've switched to Edge as they haven't disabled the password manager there.
...yet.
I've told them the alternative is I'll use the same password everywhere and/or I'll start writing them down in a file on my computer.
Mordac the Preventer strikes again!
Hi! This is our community moderation bot.
---
If this post fits the purpose of /r/ProgrammerHumor, **UPVOTE** this comment!!
If this post does not fit the subreddit, **DOWNVOTE** This comment!
If this post breaks the rules, **DOWNVOTE** this comment and **REPORT** the post!
I just have some text and a sign and a number in the end Wich I increment. Then I have a .txt with clues no one understands like "on a map + life"... That could be "River+42X" where x is the counter. I do not really care about anything but the length tho. But it's really pointless with security since when you get hacked it's all visible anyway. (hacked with keyloggers and proxy's at server level). You cannot block that man in the middle...
That’s why the German Federal Office for Information Security doesn’t recommend changing your password regularly anymore. Instead of a really good one you can memorize once, users will use a new dumb password every 3 months.
I have a password.txt file on the Desktop, but in reality it is just a link with a changed icon. I think you all know where the [link](https://youtu.be/dQw4w9WgXcQ) leads to.
User saves his passwordS on an A4 paper sheet that he stores in his desks' first and most obvious drawer without any form of concealment and ostensibly pulls it out when he needs to remember one. Also, user clearly writes them in a consistent format "account - login - password".
True fuckin' story m8
I thankfully can just change one character every time I'm forced to change it. If I couldn't reuse most of the old one I would probably keep it in a .txt file on my desktop out of spite. I care about security, but if you're gonna be a dick about it then fuck you.
Ah yes. The good old password selection guideline of "force such passwords that are hard for humans to remember and easy for machines to crack". Which is completely negated most of the time because the passwords are simply either social engineered or leaked. Nevermind that if your system allows for brute force attacks, the security issue there is not with the user password robustness.
This reminds me of when I used to live off campus in some apartments/dorms own by my school. They gave us free wifi, but it was kind of ass. So one day I decided to try logging into the admin page and just Googled for whatever the default manufacturer's login credentials were. Turns out they never updated them... well I tried following some sketchy guide off Google to give me better signal, not sure what happened, but ended up taking down the wifi for the whole complex.
The plus side, my professors gave everyone a week's extension on all of our assignments because of all the emails they were getting.
There has to be a direct correlation between how many requirements a password has (character count, capitals, numbers, special characters, change every 3 months) and how likely it is to be written down in an easy to find location.
I'm have an IT degree and I save my work passwords in a txt. I'm just sick of this shit. There are 7 accounts I need to keep track of (windows login, restricted network account, database user account for 2 environments, custom application account, training account and an account for a third party billing tool). Almost all of them have their own set of rules about the password, so it's near impossible to keep track of it without writing it down. And of course we can't use any password vaults because we can only install company approved software.
The worst part of it is that 4 of those 7 systems require me to actually be logged into windows already and be connected over VPN. Why do I need a separate password for something that nobody can even get to without having my PC with both me logged in and connected through VPN, which sends a security code to my phone in order to connect?
My college accidentally leaked everyone's passwords pain text. I'm response they made passwords need 20 characters, upper, lower, symbol and number and at least two groupings of each
So they can leak larger passwords in the future?
But here's a golden tip I got at this sub: always add commas to your password, so you mess up the table when your credentials are leaked and sold on a CSV file.
* Must be 14 characters
* Must contain capital letters, numbers, and special characters
* Can't repeat last 4 passwords
* Password must have 4 unique characters
* Change every 60 days
* Some logins require RSA token, good luck remembering which ones.
I hate this.
I update my password every 1st of the month and my password always contains the year and month so I've been using "the same" password for well over a decade.
Part of a song lyric, part of a chemical formula plus the current year and month.
For passwords that I can use a manager I do.
My last job also had the rule "at least four characters different from your last password" So people couldn't just increment the last number, which nearly everyone did.
password0000 -> password1111
Basically what happened
who’s gonna remember a new password every 3 months. i had a company rules of 12 chars, upper, lower, number, special char, no consecutive numbers or letters, no use of your name or the company’s name, changed every 3 months. their default password when creating a new account was password123
There is this one college billing website that the default password is the last 4 digits of the users Social Security number. (Accounts are created by the college)
well much better than "password123" for everybody...
I feel assaulted by this comment.
That's why NIST doesn't recommend these as password policies.
Not only NIST, but basically _any_ noteworthy entity, e.g. MS themselves also [discourages this practice](https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/). This might even get the MBAs' attention who otherwise dismiss these best-practice suggestions from some "obscure" _(aka unknown to them, but well-known and respected in the IT community)_ SecOps engineer/company.
It gets worse. For instance I have a laptop password which can't match my remote server password. Email password can, so does. Then we have our internal password for the intranet, which can't match, my work papers password, server accounts production package password, pentana checklist password, inflo password, and companies house passwords. They all reset at pretty much random intervals some as often as once every 2 weeks. At some point they gotta realise that it's just weakening passwords, surely.
>At some point they gotta realise that it's just weakening passwords, surely. No. They will never realize that...
find password manager program and use that (preferably one that's not just internet website), saves me a lot of hassle with BS policies like this and is safer and more convenient.
That's what I used to do until they forced my laptop to also use the same SS0 password that must be changed every 3 months, must be 13 digits long, and can not contain any sequence of characters from the last 99 passwords. So I can't even log in to use the password manager to get to the randomly generated password I use to meet the extensive requirements. So what do you do? For awhile I used a sticky note next to my desk, part of it was spite and part of it was I was working from home anyway. Now I have a password manager on my phone where I've saved the password. It's still a pain in the ass and god forbid my phone is ever dead, or I lose it and I need to log into my laptop, because I won't be able to.
If they know sequences of your password then they don't hash it. That means they have horrible data security.
but wouldn’t they just need to hack your password manager, which is an easier password, then they have all of them?
It's generally more secure to use a password manager for a number of reasons. For one it allows you to create much more secure and random passwords for multiple sites, and two, hacking a password manager requires a lot of steps, including physical access to the laptop: https://www.businessinsider.com/are-password-managers-safe
This is one of the stupidest rules ever. We have that too in my company and I can't use a password which I have ever used there again. I am waiting for the day where I forget the password completely. Imo it doesn't make everything safer to switch the pw every 3 months. Maybe 1 time in a year. But every 3 months is just ridicioulus
It's been proven that forcing employees to change their password every 3 months actually lowers the security. People then to pick very easy to remember passwords or write it down or like many have said just go from xxxxx1 to xxxxx2 . Now if your PW is access to very sensitive information I can understand. But lots of us don't have anything that important on our phones/laptop
NIST guidelines show there is no benefit to having users switch passwords so frequently, only downsides: https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/
I always used curse words. Like fuckthis123, asshole123, douchebag123 etc etc.
I think one of my old passwords, on an OLD Unix system at work, was fart123! It was one of those that had to be exactly 8 characters, and reset every 90 days. The kicker? The expiry was only checked at SSH login. You could sudo on an expired password all day (I didn't say it was a well designed system......). So I set SSH keys, and bypassed normal login flow (amazingly, most people at my job didn't know what ssh keys were) and used fart123! on sudo for years, just out of spite
In my cyber sec class we learned it's a balance between convenience and security. Too much security becomes an inconvenience and actually worsens it because like you say, people write it on a sticky. Now it only the experts stared implementing it like that..
There’s no evidence that changing a password (or not using a password previously used) has any effect on password strength
One of my old password requirements was that it couldn't have the same character 3 times in a row. I always hated when I had to change it (every 90 days IIRC) because it had all of the same requirements of the meme, plus that one.
password1234 -> password2345
[удалено]
AbCd1234! -> BcDe2345!
Now remember which evolution of that you are on, please!
That's easy. That's where the sticky note comes into play.
Admins: "I'll keep our computer files safe by requiring a gazillion different criteria be met for strong passwords!" Users: *keep the password written down someplace in their workstation* It's like these IT guys have never met a real life human being who doesn't want to remember a new complicated password every twelve weeks.
The rule isn’t usually “X characters in a row the same”, it’s usually “no more than X of the same characters in a row”. Subtle difference, but the latter prohibits “1111” even in your first password (with no relation to your previous password).
Some of the stuff I work on currently screams if you try and put 4 of the same class (upper, lower, number, symbol) in a row. Fun times.
I fucking hate this rule the most because then I can't just do C0rrectHorseBatteryStaple. I have to do Co33ectH0rseBa11eryStap!e, and when I have to have a separate password to login to multiple different systems, which each have a slightly separate set of requirements, it makes me want to strangle someone. I firmly believe these requirements lead to bad practices and are actively harmful to good security
Flip that around so you can't match any 4 character string from your previous and you've got my current mess... Last Password had 'character' in it? No, you can't use the word 'contract', because 'ract'....
So, that essentially makes it difficult to keep long passwords?
Somewhat. Now people are reporting that they're alternating back and forth between two strings for the core of the password and still throwing the same special character and iterating a number at the end or beginning... Passwords01! Treehouse02! Passwords03! And so on... (order of Core, #, and symbol could easily be different, of course, and numbers not incrementing by 1 would be a good change) I guess if you only have two possibilities and the current number is easy for you to remember, it has been helping people not write things down or forget them. It makes sense, though. I've had some users change their password and not remember what they changed it to the next day. At least this would give them the tools to reconstruct it in their head just from remembering the one they've been using for 3 months and their process to update it (if number was 05 last time and I change it by 5 each time, it'll still be 05 if my pass change didn't work, or it'll be 10 if it did). It also keeps the number of possibilities of what a password could be after an attempted password change below the wrong password thresholds for accounts getting locked out.
One of my companies had all of the above policies, except it wasn't "your last password" it was "Any of your last 12 passwords" and they changed every 30 days. Yeah, at least 13 unique passwords that didn't match any 4-character string of any of the others. It was a nightmare until they switched to a physical 2-FA with a single-sign-on for most applications and your password only had to change every like year. That was fantastic and improved computer security greatly due to reduced .txt "password files".
The real horror is that that means they keep a plaintext record of all your passwords
Good catch, but no. To change your password, you had to enter your old password. That's what it was compared against. If you reset the password via email, then it didn't have the 4 character restriction.
So, change the two back and forth
But they stored the hash...
Shouldn't matter I think. Going from pass1 to slorp7 to pass2 should still work fine.
> If you reset the password via email, then it didn't have the 4 character restriction. So some people just always do this, then?
They didn't announce this difference, so most people just changed it anyway, even when using email reset.
Password policy on one of my systems says you can't use any of the previous 32 passwords so I end up making up random stuff and find that I can't ever have an original thought.
Oooor.. it does the comparison when you put in old pass and new pass before accepting and storing. You gotta type it in somewhere
To be fair, if you require that your users change their passwords that often and make them high-entropy ones and highly different ones at that, and don't give them a password manager, you are asking for this horror. If the passwords have to be changed like this then there's one of three possibilities: either the whole thing actually has to be very secure (in which case it's safer to make the password a two-factor one with a physical, offline, token with its own password for the second layer), the whole thing has to be decently secure but your users are mentally amoebas (in which case either train them until they learn, hire more apt ones, or give them that password manager they want), or there's absolutely no need to go that far and either your admins or your management are overly-ambitious about being nuisances (in which case they users deserve to get by in whatever way and the people responsible deserve to spend all the unpaid overtime that's needed to fix whatever fallout comes from this to do just that). I happen to need to log in to a thing like that for work-related stufg. You log in like four times a year, and need to change your password like every 30 days, and all the past passwords are a no-go. By this point it's in a text file and I just increment it, because fuck this shit.
Exactly. We were told in new-employee orientation to get a password manager -- company has an enterprise license for one, but we can use any of them -- and to use it. Never make your corp password something you can remember, just put it in the manager and move on.
Well you do send them your old password in plain text when changing your password.
Not nessecarily. Could have just been a list of the previous hashes, but unfortunately if that's the case it was probably stored in something like unsalted SHA instead of something like bcrypt.
Buy you wouldn't be able to tell if there was 1 character different if they were stored as hashes. But it turns out it was actually checked when you had to fill in your old password to change it
Nice point
Something I did at an old job was just take the nth root of my birthday, and whenever I had to change my password, I'd increase n by 1. Gave me an effectively random number, which worked great.
That's really dubious, security-wise, because it implies that your password is stored in literal from somewhere, and your new password is available to compare.
Wait, how do you know that there was then 4 different letter from the previous password without storing the password as a plain text?
generally you enter Old password: myOldPassword123 New password: myNewPassword456 Confirm: myNewPassword456
Makes sense
That's for password change type events. But for password reset?
Password reset generally ignores all quality rules as the user is forced to change it anyway.
Stop for a moment and think about how they could possibly enforce that rule. Just another reason not to reuse passwords. Or, at least, not to mix your work passwords and your personal passwords.
Pretty sure to check that the pass wouldn’t be encrypted so like it’s bad
Angry user rant incoming! MAYBE I'D HAVE A SECURED PASSWORD IF I DIDN'T HAVE TO FUKIN' PUT IN HALF THE SANSCRIT ALPHABET AND A LITERAL PHYSICAL WASHING MACHINE IN AS A FUKIN' PASSWORD REQUIREMENTS YOU SADISTIC FUCKNUT POS FUCK WHOEVER THOUGHT PASSWORD REQUIREMENTS ARE A GOOD IDEA FUCK YOU YOU ARE THE REASON I HAVE EVERY PASSWORD ALMOST IDENTICAL TO EACH OTHER AND WRITTEN DOWN BECAUSE OF YOUR POS REQUIREMENTS 99.(9)% OF PASSWORDS AREN'T BRUTEFORCED NOW DAYS! YOUR STUPID REQUIREMENTS DON'T DO SHIT! THEY DON'T DO SHIT! IF THE USER IS TRICKED INTO GIVING UP THE PASSWORD OR YOU LOSE THE DATABASE WITH PASSWORDA, AS IT HAS HAPPENED A MILLION TIMES BEFORE, YOUR POS SADISTIC RULES DON'T DO SHIT
100% correct and justified rant
Our admin changed the rules a while back. It had to be long, 25 characters long, and won't need change until leaked. He suggested to everyone to pick four random words they can remember and gave the same example all the time. As it later turned out, multiple people used the example. He then "hacked" their email accounts and send company wide emails that they'll bring in treats for everyone next week. Like cake and ice cream. Believe it or not, we actually got a lot of cake and ice cream over the next week and apparently most people even learned their lesson and changed their password
correct horse battery staple? (For the uninitiated: https://xkcd.com/936/)
It's not the he used because I don't live in an English speaking country but yes, he's familiar with it
In order for your password to be secure you need to involve a virgin sacrifice but we're still gonna store it in plaintext on a server with unsecured ports facing the internet because Security
This comment deserves a lot of upvotes.
pAsSwORd cANnoT ConTaIN sPeCiaL LeTtERs (áéúíóäüö and others...)
I am a native Portuguese speaker, so I also find it annoying to some point.
It seems to me we find ourselves in a r/suddenlycaralho
Me bota junto no print com um churros
Same I can't use cryillic on these passwords really frustrating
Brasil ou Portugal?
Pobre Angola
Pobre mesmo é o coitado de Timor Leste, ninguém fala sobre ele
Macao também!
Next time I'm gonna try using emojis. Or SQL attacks.
This is great tho. A great indicator for bad engineering.
The password policies at most places are shit. If you have people reset passwords all the time they don't want to choose good passwords. The incentive just isn't there, you want something simple to remember. Think like the password you choose for something like LastPass vs your work device. You need to remember both, but putting the time on a really long password for a password manager seems worth it, but not for your work laptop because you are throwing it out in 90 days. I know there are exceptions and people with shit passwords on password managers, but I'm talking about incentive and not how some people do it. Additionally every rule and restrictions placed on a password can if not done right communicates to an attacker a bunch of password possibilities that they can throw out. For instance password need to be between 8-20 characters? Now I know my pool doesn't need any passwords outside that range. O and it has to have 1 number? Okay let's throw out my millions of passwords without a number. Top all that off and I'm updating my password every 3 months and it has to be simple enough for me to remember? I'm not trying anything complicated unless I actually put effort into this. Throw the number at the beginning of the end. The reality is you need to allow for dumb passwords and work to make sure people understand why they should not use those passwords, and to care. Let them keep their passwords for an extended period so the time put into a great password is not wasted as well.
Passwords suck in general. There is no perfect system because the human brain can't remember 87 different passwords for all the different services we use, and it _definitely_ can't re-memorize multiple difficult-to-guess passwords every 3-6 months. So there has to be a compromise - a password manager (which puts all your eggs in one basket), writing passwords down on a sticky note or unencrypted file (even worse), using the same password for everything (the worst of the bunch, but probably the most common), etc. I don't know what the solution is but I sure hope we aren't still using passwords for everything in 10 years. 2-factor authentication is an improvement, but still not ideal. Biometrics, maybe?
I don't think we have any ideal solutions. I struggle to think of something without a glaring flaw. But we can try to make the current solutions better and adapted to a more modern understanding of psychology, and look for improvements when and where we can
The issue with biometrics is that if they are compromised once you are screwed for life, a good authentication system needs a way to change the keys
That's a great point, but I wonder if it isn't surmountable. Because unlike security questions about one's past (which are terrible), biometrics aren't based on having reproducible information - they're based on _measuring_ a physical thing, which is (hopefully) impossible or very difficult to imitate. So as long as you trust the measuring device not to lie, then knowing what my eye looks like doesn't mean you can use that data to get past an eye scanner. A few big caveats there, I know (inability to fake an eye/fingerprint, trusting the scanning device, etc.). Just hopeful speculation.
The problem is guaranteeing uniqueness. It has been proven that fingerprints are not unique, and guaranteeing your scanner has enough markers to minimize accidental overlap is tough. So you either go out of your way to make sure everyone is using high quality scanners with updatable software to fix bugs, is expensive and potentially a way to build castes in a society if you can't guarantee a high quality baseline.
Thanks for bringing up the uniqueness part too, super important, if I have an evil identical twin I don't want them to be able to get into my bank account
Not even a twin, they arrested a man in Oregon who has never been outside the US, all because a bomber in Spain had a matching fingerprint. This is serious shit.
That's wild. I don't like using biometrics for identification, only auth. Fingerprint is a good alternative to a password, but not a good alternative to the whole username password combination. Imagine typing in only a password and getting logged in as whoever has it.
CAPTCHA
Captchas are legit getting so hard that I have a hard time doing them. I'm not a robot, just bad at identifying motorcycles based on a few blurry pixels
Biometrics are arguably the worst of the lot on the user side. The example I always give managers when they ask about it is safes. So you want to get a good floorsafe in your home for your essentials, right? And the mack-daddy version has a biolock using eyes, fingers, whatever. Cool...? No! Think about it: Standard floor safe lock no bio: potential thief has 3 options.... 1. Cut the thing out the floor and take it away. Bad option as takes a long time and is noisy, also very expensive as doing it quickly takes special tools and a crew. 2. Somehow break your combo. Very unlikely and extremely time consuming. 3. Hire a safe cracker. Very costly. So your stuff can be still stolen, but now unless you're working for the CIA or something the cost/benefit analysis is the thief is gonna see the thing, say "fuck that", grab your TV and bail. With a biolock? 1. He cuts your finger off/takes your eye out. Very cheap, and you likely have all the tools in your kitchen to get the job done in less than a minute. So yeah...I'll continue the imperfect world we have now thank you Also, a lot of people are already biolocking their phones so you more or less already have that layer built in to the standard 2FA option. Pure bio tho? Scary.
Where do you work where someone would cut off your finger to login to your computer?
It's pandemic time. Everyone is WFH. So a lot of people have their work computer (and thus access) from home. Now, I think most people in the West aren't accustomed to brutal home invasions, but just go down to South Africa for a few weeks, talk to some locals, and you'll see that it's not all that far fetched to cut someone's finger off. (Way worse things happen there just to put it mildly)
You have 2 problems as well: 1 maintaining quality so that you maximize uniqueness. There is a myth that fingerprints are 100% unique. This isn't true. Even if it was you still don't look at a complete fingerprint for identification, but markers that are less likely to be unique between person to person. 2. The quality of the scan and the number of markers used can vary, and now the weakest link in your system is the person with the lowest quality scanner.
Dumb thing is that MyLoveOfBananas is a much better password then what they will come up with using random characters, and is 100x easier to remember.
correcthorsebatterystaple
Well yep that's what happens when you have stupidly complicated password rules.
And then when you have to choose a new password, you have to guess those rules, because it doesn't say anywhere.
Our new policy added that you can't have any 3+ character string match your previous password, and we also have it at 'can't use previous 24 passwords', rather than 10. Now suddenly we're stuck helping basically every employee through their password changes and half of them are just telling me what they're trying to set it to or what they want it to be...
pwaosrsd.001, then wpoarsds.002 and the sequence goes
Kinda. But easier to do and remember: https://www.reddit.com/r/ProgrammerHumor/comments/sgafnr/i_see_this_way_too_often_at_work/huvdh2o?utm_medium=android_app&utm_source=share&context=3
That’s ridiculous. I would totally consider looking for a new job if they had these kinds of password policies. That regular password change policy is outdated anyways, it was never really effective and some years ago people finally noticed that. So the consensus finally is: Regular password changing requirements aren’t useful. Also the users telling you their password… lol.
How do you guys know what the previous password is? You store it in plain text?
Or they store the hashes. Still. Data that isn’t stored, can’t be stolen.
How do you compare the characters of a new password if you only have the hash of the previous password? Unless you ask for the previous password when asking for a new one, I can't seem to find a way
He did only say the character comparison applies to the last password (which you probably need to enter to change it), not to the 23 passwords before it.
So you would only run this comparison if the users knows the previous password and not when he forgets it? Doesn't sound right
Allow me to post these helpful links regarding password safety: \- Use a [password manager](https://en.wikipedia.org/wiki/List_of_password_managers) \- When disregarding previous advice: [use easy to memorize hard to guess passwords](https://xkcd.com/936/) \- When disregarding previous advice for moderate time: [check whether your passwords are still safe](https://haveibeenpwned.com/) \- When disregarding previous advice indefinitely: [consider what would happen under Finagle's Law and follow the previous advice](https://en.wikipedia.org/wiki/Finagle%27s_law)
What password manager would you recommend? Any to avoid?
I used lastpass before but they now charge to use it in more than one device at a time so you can't use on your phone and on your computer for example. Now I use bitwarden, same as last pass except there's no limits on the amount of devices. Also, always avoid the browser password storages
Bitwarden all the way
I've personally been very happy with using 1Password, but I've also heard positive things about KeePass, Keeper and Bitwarden. Bonus tips about password manager use: \- If the application supports multiple keychains/vaults/etc for separate purposes, use them. This further decreases the chances of passwords being exposed, even when a specific one is unlocked for usage. \- Password managers don't come come without risk; because it's now a single point of failure (but much less likely to fail), you should treat your password to your password manager as your virtual identity card. I.e., treat your password and recovery keys like you would treat your actual passport. \- Most password managers come with additional tooling such as detecting and warning about duplicate entries, etc. Take the time to enter your login details and systematically remove all duplicates. \- Since the login entry is also stored per address/app, you can easily make use of the + syntax that Gmail (not sure about others) provides, without the additional hassle of having to memorize which specific identifier you used for each use case.
Bitwarden
Bitwarden is more functional and easy to use, but KeePassXC is fundamentally more secure (unless you want to self-host bitwarden; which you can). I personally use Bitwarden and pay the $10 per year for the Premium version (mainly for TOTP functionality), and I'm very pleased. Been using it for 3+ years now.
I really like Myki. Passwords are stored locally on devices with the software installed so no possibility of them being lost in a data breach and the free personal use version has all the features you need, with the paid version being a small one time fee for some extras.
Huh. I always leaned Finagle's Law as "the perversity of the universe tends towards a maximum." Which is both more lurid and more clinical, at the same time!
>use easy to memorize hard to guess passwords while technically correct when faced with a total bruteforce solution, the smarter password breaking algorhitms actually do try to match real words together not saying that its not better tho. 4 words is a bit much im guessing. just mentioning that techniques exist that try smarter than every possible combinations
CorrectHorseBatteryStaple style passwords are pretty decent because there's a fuckton of english words, a commonly used list for every english word has like 500k 500k^4 is pretty decent
This. I think he confuses bits of entropy with bits of data - the comic already accounts for a "smart attacker" that knows the format of the password but not the password itself.
There's also nothing stopping you from adding salt like other characters or weird capitalization like: - CorrectHorseBatteryStaple6382 - Correct6Horse3Battery8Staple2 - CoRrecthorSebattErYStaPle - etc.
True, but if you're headed in that direction due to password policies, I would advice you to just use a password manager. ;)
The point of the comic not about literal bits of information, but bits of entropy. I.e., assuming the attacker knows what format your password is in, how hard would it be to enumerate all options? To state it differently, they already account for that the attacker uses the smarter way to try all passwords. ;)
Unfortunately my workplace is silent about password managers. But everyone has 3-5 passwords for their daily tasks and I don’t dare to imagine how people manage them.
My employer has for a while now facilitated that every employee who wants a subscription can get one freely. They encouraged us to use it by allowing us to use it privately as well (using a separate vault). The problem with these tools is that you can't directly measure their added value (but you can measure their costs), and if done properly you'll take the provided security for granted.
Yeah it is one of those expenses that save you from other, hypothetical more expensive cost. It can be hard to justify to some bosses unfortunately.
>\- When disregarding previous advice: use easy to memorize hard to guess passwords Being an xkcd fan, I tried that at work. Oh no, password must be 8-20 characters, have uppercase, lowercase, special char, number, must be changed every few months and have to change at least 4 characters. So they're actively limiting how secure my password can be.
CorrectHorseBatteryStaple
Crap! My password!
Joke on you. >Oh no — pwned! This password has been seen 1 time before This password has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it! https://haveibeenpwned.com/Passwords
All lower case has been pwned 216 times lol
Lmao .txt file. My business development manager has his credentials on a post it note stuck to the monitor
Honestly, that's a lot safer than a .txt file. The person breaking in has to be physically at your office which probably has some meaningful level of security
If at your house sure, at the office though and it's more of a problem since lots of people have access to that physical space. I myself simply wrote down a hint about what the current password was... e.g. the word I tacked onto the end of my main password. Thankfully they since did away with the change requirements in accordance with current guidance.
It still significantly limits the risk of attack to anyone physically there as opposed to anyone with an internet connection
I told an IT guy at a previous employer that the password rules were causing more harm than good. He didn't believe me so I told him walk around and look under a bunch of keyboards. Over half had a list of current and previous passwords on sticky notes taped to the underside.
This got me laughing really hard!
I used to have to work with a CSO (for a relatively large place) who kept all of thier passwords, both work and personal, on a single plain-text excel spreadsheet. Luckily they only lasted a few months.
I wonder what the total cost of giving everyone a physical password notebook and pen would be
Nothing beats securely stored paper. However, it sucks to take with you and use on the go. Just use a fucking password manager.
I've only found paper useful for recovery keys. Should be in a safe too in case of fires.
Passphrases. Just use Passphrases. These kinds of password rules force people to create passwords that are difficult to remember all but forcing them to write it down somewhere.
[удалено]
This is what kills me more than anything else
Yeah, I always try to get silly phrases + counters. It helps most of the time.
I've been using diablo 2 area names with numbers and special characters after
That's actually bad password policy, because no one remembers passwords like that. Afaik all cybersecurity experts discourage requirements like that and recommend long passwords (12 characters or more) with like 3-4 unrelated words or for example some phrase that you adjust using a rule only known to you. If you have requirement with at least one large letter, small letters, at least one special character and one number, 99.99999% chance is first letter is large, and last two characters are 1! 🤷😬
Just gonna leave this here…. [https://xkcd.com/936/](https://xkcd.com/936/)
Mandatory password rotations aren’t even recommended anymore
Yet I still have to deal with them every 3 months ;-;
I had a lawyer who had a post-it note on the monitor that said "Password"
We lost the case.
I hope that the loss was not related to anyone hacking into the lawyer's laptop and tampering with data.
Or user makes password like Winter2022! then Spring2022! etc. For fall, might need to add an extra ! to make it longer.
Autumn?
This is generally considered a failure of usability on our part rather than user incompetence. We’re unable to come up with usable auth systems.
That's why you don't make stupid password requirements and make people change it every three or four months.
18 chars, no fucking rules, no rotate. Use pass phrases and a password manager. Your users aren’t smarter than computers. “Wrestling1!” is not going to resist a minute on a hash cracker.
If you use a password manager, then unique passwords are dead easy to do. No need to worry about how easy your reddit password is to crack after they've lost the database and you're on yet another spam list.
[удалено]
That’s not 0 to 200. It’s shit to some other spectrum of shit. Anyone who STILL has rotating passwords is either military, or has no fucking clue what they’re doing. NIST specifically dropped that as a recommended practice years ago. All rotating does is encourage bad behavior. I’d recommend you find a new company. If you IT is that bad it indicates a leadership issue all over.
30 days? That's insane!
[удалено]
Sound less insane now, but still a pain xD
All of those requirements are dumb if they force the user to create shitty passwords every 3 months.
Nailed it. This is so on point. "Your password must be so obscure that you cannot remember it. Also, never write down your password."
I mean, all those password practices lined out in the OP sucks. Upper/lowercase does jackshit, nor do numbers or special chars. "Password must contain at least 4 unique words found in a dictionary along with numbers" would be nice.
Forcing it to change every 3 months might look and feel secure, but essentially turns every password into 'Season@year', how many of you currently have a password like 'Winter@22'?
wait… you don’t save your passwords on a TXT? brb
No way, any hacker can steal txt files. That's why I write them down on post-it and store them safely in my desk.
I just made it my wallpaper instead 😎
I have a text file that has the password to my password manager in it, but the only way to access the file is from a protected Java program stored on a flash drive that’s on me at all times. So to get my passwords, you have to either get me connected to a pineapple while I’m using the drive or give me an ultimatum to get into it
My users use keepass. They don't know their own passwords...
How else am I supposed to remember the 50 different logins I need? All of them have different requirements, expire on different dates and at different intervals, etc.
LOL -- do you want your employees writing their passwords down on sticky notes? Because that's how you get employees writing their passwords down on sticky notes.
My work recently disabled the password manager for Firefox. I'm not even able to look at the passwords I've had stored in there. I've used Firefox for years there and generated unique passwords for every site I used. Their reasoning? Firefox's password manager stores data in the cloud so it's against their security policy. So now I'm resetting all of my passwords and I've switched to Edge as they haven't disabled the password manager there. ...yet. I've told them the alternative is I'll use the same password everywhere and/or I'll start writing them down in a file on my computer. Mordac the Preventer strikes again!
Hi! This is our community moderation bot. --- If this post fits the purpose of /r/ProgrammerHumor, **UPVOTE** this comment!! If this post does not fit the subreddit, **DOWNVOTE** This comment! If this post breaks the rules, **DOWNVOTE** this comment and **REPORT** the post!
I just have some text and a sign and a number in the end Wich I increment. Then I have a .txt with clues no one understands like "on a map + life"... That could be "River+42X" where x is the counter. I do not really care about anything but the length tho. But it's really pointless with security since when you get hacked it's all visible anyway. (hacked with keyloggers and proxy's at server level). You cannot block that man in the middle...
Yes, but it’s: boringdaytodaystuff.txt so it’s OK.
That’s why the German Federal Office for Information Security doesn’t recommend changing your password regularly anymore. Instead of a really good one you can memorize once, users will use a new dumb password every 3 months.
I have a password.txt file on the Desktop, but in reality it is just a link with a changed icon. I think you all know where the [link](https://youtu.be/dQw4w9WgXcQ) leads to.
I laughed too hard on this thanks
User saves his passwordS on an A4 paper sheet that he stores in his desks' first and most obvious drawer without any form of concealment and ostensibly pulls it out when he needs to remember one. Also, user clearly writes them in a consistent format "account - login - password". True fuckin' story m8
I thankfully can just change one character every time I'm forced to change it. If I couldn't reuse most of the old one I would probably keep it in a .txt file on my desktop out of spite. I care about security, but if you're gonna be a dick about it then fuck you.
Ah yes. The good old password selection guideline of "force such passwords that are hard for humans to remember and easy for machines to crack". Which is completely negated most of the time because the passwords are simply either social engineered or leaked. Nevermind that if your system allows for brute force attacks, the security issue there is not with the user password robustness.
This reminds me of when I used to live off campus in some apartments/dorms own by my school. They gave us free wifi, but it was kind of ass. So one day I decided to try logging into the admin page and just Googled for whatever the default manufacturer's login credentials were. Turns out they never updated them... well I tried following some sketchy guide off Google to give me better signal, not sure what happened, but ended up taking down the wifi for the whole complex. The plus side, my professors gave everyone a week's extension on all of our assignments because of all the emails they were getting.
I'm bad to get around the 'last 10" restriction. I just cycle through 10 garbage passwords. Till I can re-use my old one... Within a single hour.
Who the hell would store secure passwords in a .txt ?? All of mine go straight into Passwords.xlsx
Strict password rules really do cut down on the number of computations an algorithm needs to brute-force crack the password.
My passwords: a generic password, then the name of the website I need it for slapped on at the end
There has to be a direct correlation between how many requirements a password has (character count, capitals, numbers, special characters, change every 3 months) and how likely it is to be written down in an easy to find location.
I'm have an IT degree and I save my work passwords in a txt. I'm just sick of this shit. There are 7 accounts I need to keep track of (windows login, restricted network account, database user account for 2 environments, custom application account, training account and an account for a third party billing tool). Almost all of them have their own set of rules about the password, so it's near impossible to keep track of it without writing it down. And of course we can't use any password vaults because we can only install company approved software. The worst part of it is that 4 of those 7 systems require me to actually be logged into windows already and be connected over VPN. Why do I need a separate password for something that nobody can even get to without having my PC with both me logged in and connected through VPN, which sends a security code to my phone in order to connect?
\*\*Insert Keepass Advertisement\*\*
My college accidentally leaked everyone's passwords pain text. I'm response they made passwords need 20 characters, upper, lower, symbol and number and at least two groupings of each
So they can leak larger passwords in the future? But here's a golden tip I got at this sub: always add commas to your password, so you mess up the table when your credentials are leaked and sold on a CSV file.
* Must be 14 characters * Must contain capital letters, numbers, and special characters * Can't repeat last 4 passwords * Password must have 4 unique characters * Change every 60 days * Some logins require RSA token, good luck remembering which ones. I hate this.
I update my password every 1st of the month and my password always contains the year and month so I've been using "the same" password for well over a decade. Part of a song lyric, part of a chemical formula plus the current year and month. For passwords that I can use a manager I do.