Little anecdote from my in-house it:

"Our passwords are safe because we change them every 3 months and they have to contain uppercases, lowercases, numbers and special characters. 6 digit length is enough and can't be hacked."

Just show them the speed at which Hashcat can crack passwords like that.. a few minutes? :3
And that is, assuming that those little 6-character shits are hashed at all of course 😛

https://youtu.be/7U-RbOKanYs

@Condor "ThOsE PaSsWoRdS aRe SaFe BeCaUsE wE sToRe YoUr LaSt 2 PaSsWoRdS aNd ThEiR hAsHeS. WiTh BrUteFoRcE yOu'D nEeD >100 yEaRs tO hAcK tHiS"

(Yep they said that)

@KittyMeowstika 🤢... 🤮
What the fuck is wrong with people.. and those are the chaps responsible for password security? Just imagine the state of the rest of the server like that 😷

Btw the last 2 passwords *and* their hashes? Then what's the point of hashing to begin with? As if a hacker is gonna be like "oh there's a plaintext file here and a hash file there.. let's go with the hash file because we're that nice 🤪".

@Condor Said the same thing to them. They don't listen. They are fucking IT-Gods and I'm only a small dev. "We can't tell when a device is comprised. That's why everyone has to change their pw every 3 months." I wish I could exclude myself from this madness

@KittyMeowstika Every single braincell I own cries from the sheer ignorance they present...

I would like to say something about the password policy at my workplace, but it's possible to find out where I work and it's not really a good password policy. :(
(But no worries, it's not like it's going to cause a leak soon, it's just way worse than it could be with a few simple changes.)

Don’t worry, against countless dummy spits over this topic and leaving the company I used to work for, the software they produce doesn’t even hash any password. Oh, and at any level above basic user(assuming they even implemented user levels for even an iota of security) all passwords are fully visible without even a single attempt to obscure them with asterisks.
It’s so bad. Like unbelievably fucking bad.. 🤬

@KittyMeowstika 100+ years makes it seem like they just tested this or that password against some online "entropy tester", lol. Entropy is a massively complex thing, and predictability isn't straightforward to implement in any kind of algorithm. There's a reason why there's so many word lists and rule sets out there, and why many professional hackers/security researchers choose to make their own (aside from the general culture that you should really develop your own tools). It's extremely difficult to gauge what "type" of users are in this or that type of database. Limitations on passwords in the registration form offer a decreased scope for that, hence why I'm against "2 numbers, one capital, some symbol" kind of deal. It makes password cracking easier because some assumptions can be made.

Honestly, I'd seriously advise you to not listen to these "IT gods" at all, because they clearly have a huge gaping hole in their security awareness. For example, sure it is difficult to gauge the integrity of a system without constant monitoring of something like an IDS/IPS (e.g. Snort), but there are common places in which hackers "hide" their post-exploitation tools. These include the crontab (which should be periodically checked), and services that might be spawned by it either permanently, or every now and then (to make it harder to notice). An IDS should be responsible for monitoring these listeners. Whenever anything tries to open a listener on a port that hasn't been approved yet, the IPS should trip and notify the operator. Additionally, the firewall should be in a whitelisted (i.e. DROP) state on at least its INPUT chain. Services that expose root access should be hidden away, either behind port knocking utilities like fwknop or a VPN network such as OpenVPN. There's no need for the internet to see these, and it adds an additional authentication layer.

Using those precautions and general working methods, I've been able to create some pretty darn secure infrastructure.

@Condor I wish I could ignore the IT's advice. But sadly it's a company policy and if I do it they could probably fire me. I totally agree with you. Security these days is not only "good" pw, it's creating a network of mechanism which notify you when something seems off. (@WhAtEvErYoUmEaN told me about a case where a company contacted a pentester and he tried to compromise their servers from the inside. Couldn't do it because he was seated in marketing and marketing never uses powers hell. This is how IT knew.)