this post was submitted on 20 Aug 2024
600 points (98.9% liked)

Cybersecurity - Memes

1989 readers
2 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
 

This practice is not recommended anymore, yet still found in many enterprises.

top 50 comments
sorted by: hot top controversial new old
[–] henfredemars@infosec.pub 88 points 3 months ago* (last edited 3 months ago) (3 children)

Monthly password change.
Enforced high complexity.
Sticky note on screen.

[–] The_v@lemmy.world 22 points 3 months ago (1 children)

Hey now, it's under the keyboard. Much more secure there.

[–] henfredemars@infosec.pub 7 points 3 months ago

ProjectnameMonthYear!!

[–] cor315@lemmy.world 12 points 3 months ago (1 children)

Monthly? That is insane. Let me guess, no mfa.

[–] henfredemars@infosec.pub 6 points 3 months ago
[–] wazoobonkerbrain@lemmy.world 4 points 3 months ago
[–] ikidd@lemmy.world 50 points 3 months ago (1 children)

Hell, I don't even know my passwords. My password manager does. Sometimes I forget the main password but thankfully my fingers don't, unless I start thinking about it.

[–] Creat@discuss.tchncs.de 10 points 3 months ago (1 children)

How do you use your password manager to log into your PC. I mean with the AD password you're changing monthly with "high complexity"? Cause that's the actual problem scenario in enterprises.

If someone asks me to change some normal password, I really don't care, just like you (cause password manager), but the main login scenario just isn't solved with one.

[–] curbstickle@lemmy.dbzer0.com 11 points 3 months ago (1 children)

Mobile device. Read and type.

[–] wreckedcarzz@lemmy.world 8 points 3 months ago

This guy: 😎

[–] muntedcrocodile@lemm.ee 42 points 3 months ago (2 children)

Isnt this just bad practice?

[–] cron@feddit.org 24 points 3 months ago (1 children)

Microsoft recommends against it since 2019. But apparently, it is still a thing.

load more comments (1 replies)
[–] NastyNative@mander.xyz 38 points 3 months ago (3 children)

This 90 days password change BS, is the worst security risk there is. Do you know how many people have Summer2024 as their work computer password because of this system? too damn many! Not to mention the problem it creates for older folks who have a hard time with the change and most times end up locking them selves out. It creates far more chaos than anything secure, which I have been explaining to my company and they still enforce it for their clients.

[–] SpaceCadet@feddit.nl 10 points 3 months ago* (last edited 3 months ago)

It's often due to the security department following outdated standards. Nowadays NIST recommends the following:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Source: https://pages.nist.gov/800-63-3/sp800-63b.html

That said, the company I work for violates all of the above rules ...

[–] ByteOnBikes@slrpnk.net 9 points 3 months ago (2 children)

Summer2024 is their password? Jeez. What a idiot.

Mine is a proper set of lowercase and uppercase characters, numbers, and symbols, written in a post-it note and taped to my laptop.

load more comments (2 replies)
load more comments (1 replies)
[–] Affidavit@lemm.ee 35 points 3 months ago* (last edited 3 months ago) (1 children)

Password1

Password2

Password...

Password28

Password29

Edit: Call IT to reset password costing the company money because of their idiotic password policy

Password...

Password43

[–] wreckedcarzz@lemmy.world 8 points 3 months ago* (last edited 3 months ago)

No joke, my father used to have to do this. I set him up with a solid pw via pw mgr and then we found out that it had to be changed every 60d. He was going to just generate a new one but I was concerned that he'd screw it up and need help resetting the pw every time, so I was like "...just had 1 to the end, and do the same in the mgr; next time 2, then 3...".

He got to like 8 before (it appears, he stopped complaining about it) they dropped the policy. I just know that every other employee (these are not tech positions whatsoever) just resorted to "password1" and IT realized how fucking stupid that is.

Oh and it retains your last like 5 passwords, so you can't do "password1" "password2" "password1". Brilliant.

[–] Vertelleus@sh.itjust.works 25 points 3 months ago (1 children)

It's even better when the company saves your old passwords, just so you can't use them again.

[–] RecluseRamble@lemmy.dbzer0.com 21 points 3 months ago (2 children)

Just add a number suffix and increment it each time. This doesn't exactly make your password any stronger but that's not what they're asking for with their stupid policy.

[–] YerbaYerba@lemm.ee 10 points 3 months ago (2 children)

My company tracks the first and last character so you can't do that. Personally I change a single character in the middle of my password to work around this.

[–] pivot_root@lemmy.world 13 points 3 months ago* (last edited 3 months ago)

Error: Your password's Levenshtein distance indicates that your new password is more than 20% similar to a password previously used within the last 10 years.

Policy requires your password to:

  • Be unique
  • Have at least one uppercase letter
  • Have at least one lowercase letter
  • Contain 2 symbols other than apostrophe
  • Have 4 numbers that are either separated by other characters, or represent an integer both greater than 3000 and not ending with the same last two digits as the previous or next 17 years from the current date.
  • Include exactly one Cryllic character
  • Exceed no more than 18 characters

/satire (I hope)

[–] lightnsfw@reddthat.com 6 points 3 months ago

Same. Its so stupid. Doesn't increase security and just annoys everyone.

load more comments (1 replies)
[–] Varyk@sh.itjust.works 23 points 3 months ago* (last edited 3 months ago) (1 children)

oh i didn't know that, are companies finally realizing that creating and trying to remember new passwords causes more trouble then keeping one really good password?

[–] slazer2au@lemmy.world 6 points 3 months ago (1 children)

Only on accounts that have MFA is password rotation no longer recommended.

If the account is non MFA protected password changes are still recommend.

[–] Varyk@sh.itjust.works 5 points 3 months ago* (last edited 3 months ago) (2 children)

really? what's the standard for that? like how often should you be rotating your password?

I assumed many people forget their new passwords (because I often do) and become compromised than are protected by continually rotating passwords.

[–] skittlebrau@lemmy.world 6 points 3 months ago

I have over 500 passwords in my password manager. I don’t know what I’d do without it.

load more comments (1 replies)
[–] Crozekiel@lemmy.zip 19 points 3 months ago (2 children)

My company's HR system (like, time off, time clock, etc.) asks for a new password every 3 months, but it doesn't give any fucks at all if you just reuse the current password apparently. I've been "changing" it to the same thing for like a year now.

[–] dQw4w9WgXcQ@lemm.ee 17 points 3 months ago

Which is often a lot more secure than requiring you to create a new password. Requiring a new password frequently leads to people making memorable passwords which are a lot less secure than a good password which is kept for years.

A few years back, my company suffered a big cyber attack where the attack vector was the credentials of a high level user who frequently changed their password to the year and month for next password change, i.e. "2018october". Apparently this was common enough that the attackers were able to brute force/guess it.

[–] ByteOnBikes@slrpnk.net 4 points 3 months ago

I prefer that.

I've changed my password 11 times since I worked at this job.

How do I know that? Because my solution has been password+1.

[–] Aeri@lemmy.world 18 points 3 months ago (2 children)

I'm convinced this isn't particularly secure because it just results in the following. Mandatory password change, password can't be any of your last six, bla bla bla. Boom rotating stock of my last six, you happy?

"BOB-CEMU" "BOB-MERC" "BOB-SIVA" "BOB-MILK" "BOB-CERA" "BOB-DELT"

[–] The_v@lemmy.world 17 points 3 months ago* (last edited 3 months ago)

Had one company where you couldn't use the same password for 12 months, 10 digit minimum, and had to change it every month

My very secure password series at the time.

DumbP@ss#01

DumbP@ss#02

DumbP@ss#03

[–] Anticorp@lemmy.world 3 points 3 months ago

Hey! You lied! None of those worked just now. Tell us your real password.

[–] acockworkorange@mander.xyz 8 points 3 months ago (2 children)

Every three months, man. Gets old real fast.

load more comments (2 replies)
[–] GreyEyedGhost@lemmy.ca 7 points 3 months ago

My company changed the policy to increase the time between password changes. To compensate, they increased the required password length.

Neither of these policy changes were communicated to the employees. The expiry time tells you when it arrives (don't tell me you change it before it expires, good for you if you do), but if your new password doesn't meet the policy requirements it doesn't tell you what they are. The support request response indicated the minimum length was three letters longer. The only good thing about this ordeal is that I get paid by the hour.

[–] taiyang@lemmy.world 7 points 3 months ago (4 children)

Gotta do mine twice a year, always needs to be new, have a number, and a special character. It was annoying because I'm a pass phrase kind of person, but found it's not too hard to just add the year and exclamation marks for each password change into my passphrase.

Plus password managers exist so whatever.

load more comments (4 replies)
[–] esc27@lemmy.world 6 points 3 months ago (2 children)

Never is too long. Monthly is way to short. I like the idea of doing it yearly in conjunction with other it security awareness and training campaigns.

[–] RecluseRamble@lemmy.dbzer0.com 10 points 3 months ago* (last edited 3 months ago) (3 children)

Never is too long.

Why? Frequent password changes have been shown to result in weaker passwords. What's wrong with keeping a strong one indefinitely? I mean an actual strong one not one character more than what's currently bruteforceable.

load more comments (3 replies)
[–] ObsidianZed@lemmy.world 6 points 3 months ago (4 children)

Agreed. My last job, we were forced to change all service account passwords annually but our personal passwords every month or two.

My current job has more domains and systems so I have so many more passwords with varying complexity and age requirements. I just set a calendar event for every four weeks (one expires just under 5 weeks) and change them all to the same generated password that meets all the common requirements and I save it in my password manager.

So every four weeks, it's seriously this hour+ long ritual for virtually no enhanced security reason.

load more comments (4 replies)
[–] MystikIncarnate@lemmy.ca 6 points 3 months ago

IMO, password changes were always bs. I'm a tech, and I always disagreed with it.

Longer, better passwords were always the better option. But try to convince your average worker to memorize a 15+ character password and they'll tell you where to go.

Meanwhile... https://xkcd.com/936/

Today, with MFA.... Good MFA, not the SMS bull crap... Password "leaks" or breaches, are effectively a thing of the past.

Oh, you have my password? You guessed it, or found out leaked on some list? Cool. Good luck guessing the seed for my MFA, in the time it takes me to go change my password, locking you out of my account. MFA failures should be reported to users. Often they're not.

Short story: I once had a notice from Twitter about access to my account from a foreign location. Kudos to Twitter, since they recognised the odd behavior and stopped it (this is pre-musk Twitter BTW). I logged in, changed my password using my password manager (the previous password was too simple, from before I had a password manager), then added a FIDO MFA to my account. I tweeted out to whomever was trying to log in to my account, to thank them, as my Twitter account now had better login security than my bank. IDK why banks don't support MFA beyond sms, but that was the case at the time, and largely, that's still the case where I am.

From a security standpoint, I recommend you follow xkcd's example, generate a long passphrase for yourself, and use it to secure a password manager (and whatever recovery options they have, eg, email), and add MFA to that, and anything else that supports it.

It's a pain to do, but honestly, better than waiting to see if someone is going to be able to log in to your stuff when your password is inevitably leaked by someone.

[–] peto@lemm.ee 4 points 3 months ago

Man, so often do I get half way through my password to realise I'm now typing my old words.

load more comments
view more: next ›