This practice is not recommended anymore, yet still found in many enterprises.

  • ikidd@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 months ago

    Hell, I don’t even know my passwords. My password manager does. Sometimes I forget the main password but thankfully my fingers don’t, unless I start thinking about it.

    • Creat@discuss.tchncs.de
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      How do you use your password manager to log into your PC. I mean with the AD password you’re changing monthly with “high complexity”? Cause that’s the actual problem scenario in enterprises.

      If someone asks me to change some normal password, I really don’t care, just like you (cause password manager), but the main login scenario just isn’t solved with one.

  • NastyNative@mander.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    This 90 days password change BS, is the worst security risk there is. Do you know how many people have Summer2024 as their work computer password because of this system? too damn many! Not to mention the problem it creates for older folks who have a hard time with the change and most times end up locking them selves out. It creates far more chaos than anything secure, which I have been explaining to my company and they still enforce it for their clients.

    • DefederateLemmyMl@feddit.nl
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 months ago

      It’s often due to the security department following outdated standards. Nowadays NIST recommends the following:

      Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

      Source: https://pages.nist.gov/800-63-3/sp800-63b.html

      That said, the company I work for violates all of the above rules …

    • ByteOnBikes@slrpnk.net
      link
      fedilink
      arrow-up
      1
      ·
      2 months ago

      Summer2024 is their password? Jeez. What a idiot.

      Mine is a proper set of lowercase and uppercase characters, numbers, and symbols, written in a post-it note and taped to my laptop.

    • Fatcat560@discuss.tchncs.de
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      NIST seems to have it as a guideline for memorised secrets:

      Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

    • cron@feddit.orgOP
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      The most prominent source is NIST, which states:

      Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. (source)

      I found an explanation on a different site:

      It’s difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).

  • boredsquirrel@slrpnk.net
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Max. 16 characters

    (Still remember: if they have a password length limit, they store the password in plain text!)

    • dQw4w9WgXcQ@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      Why would you say that? Services are able to require special characters, variable casing and numbers. Why would the reqirement of max length of the password cause the storage to succumb to plain text?

      • cm0002@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        He should have said a short length limit, it’s still recommended to have a length limit of some sort (I think 64 is the official recommendation) to prevent people from doing shit like pasting the entire Shrek script as a password (because you KNOW some people will lol)

      • boredsquirrel@slrpnk.net
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        I think they could also check that length with Javascript in the browser. Dont know, you should ask the devs.

  • Aeri@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    I’m convinced this isn’t particularly secure because it just results in the following. Mandatory password change, password can’t be any of your last six, bla bla bla. Boom rotating stock of my last six, you happy?

    “BOB-CEMU” “BOB-MERC” “BOB-SIVA” “BOB-MILK” “BOB-CERA” “BOB-DELT”

    • The_v@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      2 months ago

      Had one company where you couldn’t use the same password for 12 months, 10 digit minimum, and had to change it every month

      My very secure password series at the time.

      DumbP@ss#01

      DumbP@ss#02

      DumbP@ss#03

  • Etterra@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Yeah, but I’m more used to them saying “occasional overtime” when they mean “5-10 hours mandatory overtime, unless it’s actually busy, because we refuse to hire enough people to fill all the open positions.” Because there’s nothing smarter than giving all your sales staff enormous bonuses while the grunts on the floor are over 6 months behind for lack of adequate staffing.

  • esc27@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Never is too long. Monthly is way to short. I like the idea of doing it yearly in conjunction with other it security awareness and training campaigns.

    • RecluseRamble@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      Never is too long.

      Why? Frequent password changes have been shown to result in weaker passwords. What’s wrong with keeping a strong one indefinitely? I mean an actual strong one not one character more than what’s current bruteforceable.

      • CompN12@lemmy.frozeninferno.xyz
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        Forever is vulnerable to phishing attacks, same reason why monthly is getting discouraged. Monthly is weaker because the average person does slight variation, which attackers LOVE.

        • RecluseRamble@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          Frequent password changes don’t protect against phishing.

          And while a high frequency like monthly changes will probably result in even weaker passwords, also yearly changes will make people choose weak passwords.

      • esc27@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        Overtime people will slip up and leak their passwords. Maybe they accidentally log in with it in the username field (causing it to get logged), leave it on a forgotten postit note, share it with a spouse, used it for a 3rd party service, wore a pattern into their keyboard, etc. None of those are that big of a deal or all that common, but added up with enough time and people and the risk accumulates. A infrequent but regular password reset helps to mitigate that risk.

        Regular password resets can also help to prevent password reuse. Suppose someone uses their work password for netflix, then work requires a password change. How likely are they to manually sync the netflix password back to match the one they use for work?

        Of course there are much better ways to mitigate risk. E.g. multifactor authentication. But a major security principal is defense in depth, and I think reasonably infrequent (e.g. no more than once per year) password resets have a place in that.

        This goes for physical keys as well. If it is your house and you are certain no one untrustworthy has your key, then fine. But for a larger org with multiple people and turnover. Sooner or later keys will get lost, misplaced, etc. Rekeying the locks (maybe every 5 years, maybe every 25 years) has merit.

    • ObsidianZed@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      Agreed. My last job, we were forced to change all service account passwords annually but our personal passwords every month or two.

      My current job has more domains and systems so I have so many more passwords with varying complexity and age requirements. I just set a calendar event for every four weeks (one expires just under 5 weeks) and change them all to the same generated password that meets all the common requirements and I save it in my password manager.

      So every four weeks, it’s seriously this hour+ long ritual for virtually no enhanced security reason.

      • ITGuyLevi@programming.dev
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        Have you considered scripting it? For a while I worked at a place that required changing passwords every 60 days and it couldn’t have been one of your previous 24 passwords. When checking out the policy I noticed there was no minimum password age so a quick for loop later and Bob becomes your mother’s brother. Quickly cycling through 24 random passwords and back to my secure one and no more just adding the month/year.

        Of course I reported it to cyber and about a year later they added a minimum age, now I’m hoping to get them to address an issue in AD that sidesteps changing passwords (though that one may be around for a while).

        • ObsidianZed@lemmy.world
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          Unfortunately I don’t think that’s possible for my situation. Most of my passwords require logging into a portal and accepting terms of agreements.

          • ITGuyLevi@programming.dev
            link
            fedilink
            arrow-up
            0
            ·
            2 months ago

            Yeah, future me wonders why I even suggested it, I’m sure it probably violates the spirit of password change requirements.

            • ObsidianZed@lemmy.world
              link
              fedilink
              arrow-up
              0
              ·
              2 months ago

              I mean it’s a clever solution for those without password manages. Plus most of the suggestions in these comments violate the spirit of password change requirements.

  • MystikIncarnate@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    IMO, password changes were always bs. I’m a tech, and I always disagreed with it.

    Longer, better passwords were always the better option. But try to convince your average worker to memorize a 15+ character password and they’ll tell you where to go.

    Meanwhile… https://xkcd.com/936/

    Today, with MFA… Good MFA, not the SMS bull crap… Password “leaks” or breaches, are effectively a thing of the past.

    Oh, you have my password? You guessed it, or found out leaked on some list? Cool. Good luck guessing the seed for my MFA, in the time it takes me to go change my password, locking you out of my account. MFA failures should be reported to users. Often they’re not.

    Short story: I once had a notice from Twitter about access to my account from a foreign location. Kudos to Twitter, since they recognised the odd behavior and stopped it (this is pre-musk Twitter BTW). I logged in, changed my password using my password manager (the previous password was too simple, from before I had a password manager), then added a FIDO MFA to my account. I tweeted out to whomever was trying to log in to my account, to thank them, as my Twitter account now had better login security than my bank. IDK why banks don’t support MFA beyond sms, but that was the case at the time, and largely, that’s still the case where I am.

    From a security standpoint, I recommend you follow xkcd’s example, generate a long passphrase for yourself, and use it to secure a password manager (and whatever recovery options they have, eg, email), and add MFA to that, and anything else that supports it.

    It’s a pain to do, but honestly, better than waiting to see if someone is going to be able to log in to your stuff when your password is inevitably leaked by someone.

  • taiyang@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Gotta do mine twice a year, always needs to be new, have a number, and a special character. It was annoying because I’m a pass phrase kind of person, but found it’s not too hard to just add the year and exclamation marks for each password change into my passphrase.

    Plus password managers exist so whatever.

      • taiyang@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        Nope, has to be new and unique every time. Their system keeps every password I’ve ever had, which if you think of it, is a really bad liability if they’re hacked.

      • StrangeQuark@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        For me, no. Can’t be the same or too similar to the past 4-5 passwords and has to be 14 characters long.

        • Owl@mander.xyz
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          Oh, as a french philosopher said:

          “Never has so much spirit been put into making us stupid.” -Voltaire