this post was submitted on 23 Sep 2023
868 points (97.8% liked)
Memes
45535 readers
422 users here now
Rules:
- Be civil and nice.
- Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
One of our systems at work don't let you use the past thirteen passwords! Plus monthly password changes. Guess who's got a generic password that has an ever increasing number at the end of it...
If I'm not mistaken It's actually shown to be bad to change passwords that often because you end up with people writing them down
Yes, NIST now recommends against requiring periodic password changes in their official guidance document.
Pretty much everyone, which is why NIST no longer recommends automatic password expiry anymore.
One of my work applications doesn't allow you to use any of the letters in the same spot or any repeating letters . And it expires every 45 days . So for example if I used Batman1 for my password . I can't just switch to Captain2 because the second letter is the same . And you can't use something like Poophead because there are 2 O's in a row . It's a nightmare every time it expires .
that would instantly make me very dumb and require a lot of explaining on the phone. like "when I say hello mister Thompson and press down on your foot then you smile and nod, do you understand?" levels of dumb.
"I've used up all the vowels! there are only 5! this means the only password left is rhythm"
"no you can use the same vowels just they can't be in the same place"
"like I have to do it in my kitchen?"
"no the same place in the word"
"so it has to be the same word with different letters?"
"no, it has to be a different word with different letters"
"well like I said I already used all the vowels"
When it expires, bump every character up by one - A/a becomes B/b, 1 becomes 2, for symbols use the next one on the row.
That also means they are saving that information. I doubt a single character can be usefully hashed. Seems like a security nightmare.
It's also some shitty program that is all black screen with green text that was probably made in the 90s . From what I understand it's used by a bunch of different shipping companies and very unintuitive to use .
Edit: just googled it and it was released in 1988 it's called As400
Ah, crap.
https://www.ibm.com/docs/en/i/7.1?topic=passwords-password-rules-qpwdrules
Those are some aggressive password rule options.
On the plus side, it may be over engineered all of the way to fuck and back. (Or not)
Edit: I searched for "as400 password rules" and that was the first hit.
Mainframe is the notary caste of IT.
I wonder what percentage of the company also do the same, would be an interesting statistic.
It's an easy attack vector, hackers love it.
Venn diagram is a circle.
This is what password managers are nice for. I only know like two of my passwords all across the internet.
I'm pretty sure most people do when faced with a situation like that
If it were 12, I'd say use the month, but 13...
Lousy Smarch weather
Lunar calendar
Lunar calendars also have 12 months but each is shorter and so the year is shorter. Some have a leap month but that doesn't help either. Sure, you can iterate thru these names but that doesn't help you to remember to current one. The idea of using months is that you know in which month you are right now.