New employee: It asks me to change my password.
Me: It's a 12 letter minimum complex, upper, lower, number and a sign.
New employee: It doesn't work.
Me: Stop using your name in passwords.
New employee: Oh.. darn.

  • 5
    I used to work for a company whose password requirements were so strict that you couldn’t use three or more consecutive letters of your name, three or more letters of the any month of the year, or three or more consecutive letters of your last 8 passwords. It ruled out so many common words that people would write their passwords down and leave them under their keyboard. 🤦‍♂️
  • 1
    @devphobe exactly. In a book violent python there was an assignment to brute force a zip archive. My own name lowercase took a hour or smth and upper/lower already took long enough to cancel. Imagine if it was a webapi.. Good luck brute forcing that if it was even my name backwards. So, i don't do the password madness. Can you even imagine how the source code of that validator must be or even the other suff that they build? Damn
  • 3
    @rooter how about the fact that we kept all passwords (previous and current) unhashed so we could figure that out! It alone was a security nightmare
  • 0
    @devphobe oh that changes the story. Yh, in that case make sure the password doesn't work on other platforms 😂 Haha, the irony. But that's the point, where's the focus on? 🙄
  • 0
    @rooter in case of the web API I first attack the leak so I have the username/password hashes. The idea of preventing the name in the password is so the attacker has to resort to brute force instead of fancy dictionary attack.
Add Comment