And despite security recommendations, too many IT depts still force password resets every 90 days...
And people confronted with this change their password from "p@55w0rd!1" to "p@55w0rd@2". Yep extra-secure!
At some point most security recommendations are self-defeating.
I work in the IT section of a bank and they force a change every 30 days and can only have an 8 character password no more no less 🙃
Seems like a job for Bobby tables
Ideally we'd all use password managers, but I'm aware 99% of peoole don't. Even with one, it's frankly a pain in the butt to be nagged about changing it. "Man, my passwords are 20 random characters. I don't need yo reset ot unless you've had a breach."
@278 and going strong, across 7 companies. One time, just to mix things up, I used an exclamation mark instead. It was exhilerating. /s
{Sitename}+{SaLt}+{yymmdd of password change} easy peasy
I college we had to change our password every semester. Guess who added the semester number onto the end of their password. Hint: everyone.
Same as a government job that required monthly password changes. Well, at least those people had more security than the post-it note on the monitor people
NavyExchange!(ddmm of password change) for as long as I worked there, it was really only to use a register though, I had nothing compromising behind the password lock.
Hey, how do you know my password?
> And despite security recommendations, too many IT depts still force password resets every 90 days...
It could be for contractual or for insurance reasons. We have some contracts with government agencies that require it, and our cyberinsurance also does. Even though NIST has been recommending for years to do long passphrase + MFA and no reset unless you suspect compromise.
So yeah, the reason behind this might not be just plain incompetence.
Doesn't that just mean it's the government agencies and insurance that are incompetent?
The worst is when you have a bunch of independent systems that all have their own login info, all configured by the dame IT department, all with different forced reset timers.
I've had arguments with clients' IT security about this in the past where they demanded forced password resets. Citing NIST controls that insist you should avoid them was apparently insufficient.
Who still isn't using a password manager?
I promise you that does not help.
I suspect a large number of these incidents are due to the password field in the login page allowing fewer characters than the field in the sign up page, so the password gets truncated. A couple of help desk meat shields have confirmed that for me, but mostly I think this because it seems to fix itself if I use a shorter password.
How short, you ask? Who tf knows! They sure as shit won't tell you! Just spend the next 20 minutes trying shit til it works, because you have nothing better to do with your time!
My parents. All written down on paper in handy notebooks for anyone that breaks in. Two entire lives and everything in them just there for the taking.
If I recall, a few (most) security experts now support written-on-paper passwords. Why? Because it is the solution for users who would otherwise commit far a more egregious security faux pas otherwise.
In most circumstances, it is easier to keep the notebook secure than your wallet, your car, etc. And let's be honest, the list of suspects are REALLY short if someone breaks into your house, opens the third drawer, grabs the notebook and runs. And if it's more than that and somebody ransacks your entire house, I guarantee having to change your passwords is the least of your headaches.
Ultimately, physical compromise is the lowest possible security risk for most people throughout their lives. Yes, it happens. Yes, it sucks. But having your bank password out in the wild with nobody realizing it is possibly far more dangerous.
You must be using double-strength ROT13 encryption.
I do use a password manager but this shit still happens. Does anyone know why? Something to do with a "password hash", I think...
They are just gaslighting you. Its a global conspiracy in tech industry
Why am I in this picture?
If it helps, I think we’re all in this picture at some point lol.
Permanently Deleted
Or use a fucking password manager like Bitwarden or Keepass
I won't say where I work but we have strict password requirements including that they have to be exactly 8 characters long.
Yeah our passwords aren't very secure as we also have to change them every 90 days and if you miss the window by 3 days you have to call the IT desk to reset it which takes about 45 minutes to an hour. And in that time you basically can't get anything done.
At home I use a password manager and all my passwords are randomly generated and whenever possible 2fa is enabled.
I use bitwarden on my android phone and home computer. Vivaldi browser on both devices with bw integration. I also was able to portable-load Vivaldi on my work pc, so one day when I'm not too busy, I intend to regen my work passwords (everything but the domain logon is web-based) with bitwarden so I never have to worry about how many ones and exclamation points I appended to my passwords.
Now if I could only get them to replace Microsoft 365 OTPs with a smart card or RSA hardware token that'd be perfect. Especially when Teams and every other Microsoft app separately and individually decides for the nth time this week that they all need my credentials again because somebody sneezed near the work VPN server and caused the ntp to be off by a millisecond and invalidate my security certificate or... whatever the reason that happens.
I do. This still happens to me regularly. Companies love to fuck with their password algorithms way too much.
Brb stealing your cookies.
And that’s why I generate my passwords randomly.
Thank you Bitwarden.
So do I. This still happens.
Ahh, so you all also shop at target online, eh?
I'm guessing this is american target and not Australian target
Whelp…reevaluate life.
We need the bonus frame showing a funeral occurring, let's make this dark.
Why is that? Couldn't find anything on Google.
I feel stupid. Can someone explain this to me? Is it saying people have a hard time coming up with a new password?
The joke is that he set the password to the same thing he thought it was to begin with — the same password the site said was incorrect, it's now saying was in fact his old password.
I forget where, but this has happened to me before. I thiiiink the logic was that it compares to your last 3 passwords, not just the most recent one. So if I had the password "hunter2", then changed it to "swordfish", then later forgot that and tried to log in with "hunter2", this is what would happen.
I've also had similar but completely inexplicable experiences with my cell phone provider, who shall remain nameless. My best guess is that my special characters (still ASCII but not alphanumeric) broke their poor lil database. It wouldn't accept anything until I set a strictly alphanumeric password.
