New employee: It asks me to change my password.
Me: It's a 12 letter minimum complex, upper, lower, number and a sign.
New employee: It doesn't work.
Me: Stop using your name in passwords.
New employee: Oh.. darn.

  • 4
    I used to work for a company whose password requirements were so strict that you couldn’t use three or more consecutive letters of your name, three or more letters of the any month of the year, or three or more consecutive letters of your last 8 passwords. It ruled out so many common words that people would write their passwords down and leave them under their keyboard. 🤦‍♂️
  • 3
    @rooter how about the fact that we kept all passwords (previous and current) unhashed so we could figure that out! It alone was a security nightmare
  • 0
    @rooter in case of the web API I first attack the leak so I have the username/password hashes. The idea of preventing the name in the password is so the attacker has to resort to brute force instead of fancy dictionary attack.
  • 0
    @devphobe I soo hope that was not at LastPass ;-)
  • 0
    @AtuM nope. It was a much larger company
  • 1
    @devphobe google got busted doing the same, so what can one do. Most ppl think that tls1.2 and mfa takes care of things. Most don't ever think beyond frontend.
Add Comment