Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
I feel you.
The 90 days rotation is actually pretty useless. Complexity rules are a "last resort" so people do not reuse passwords and do not choose the weakest ones possible
On contrast, teaching people the concept of e.g. passphrases and only change on suspected leak or abuse will result in strong passwords that people can remember.
Current recommendations by security standards organisations (NIST, BSI, ...) even do not recommend regular changing passwords anymore. -
@craig939393 A password manager is great for online accounts but certainly not for mac login. I can't access the password manager if I'm not logged in on the mac.
-
I just went through HIPPA compliance, and their password requirements go against NIST.
I argued with the compliance officer that our policy was stronger and thus met the criteria, but we had to change it to a weaker policy or we would lose the compliance.
Now we're trying to get SOC2, and I can't wait to see what policies they invented! -
atheist99303yHad something similar at an old job. I literally ended up just listing off some of the things I could see.
"cloudstaplerdesk" as a password, anyone? -
Frequent password changes are an outdated and useless practice. Just add a number to your password and count it up.
-
@AjDevNull You can access it if you have it on another device; it can be annoying but works when you're aiming for good enough passwords. Although, in my situation (same company policy), I regenerate passwords that are short enough to store to muscle memory but not shit enough to be guessable by other people.
-
@Berkmann18 I get your point but it will be a bit difficult typing out a randomly generated alphanumeric pass accessible from a different device.
The underlying issue here is that over time people will get lax with their passwords if they change it long enough. -
@Fast-Nop Microsoft AD doesn't allow you to do that. The password validation checks for values that have previously been used.
-
Jedidja10143ymaybe you could get around by combining a strong pw and a weak and only changing the latter? like adding an increment/NumberOfWeek/... to an already strong password
Or by writing just the part down that changes -
@Jedidja The validation does fuzzy matching I think to see if you have used a sequence of characters before.
-
Bandic00t463y@AjDevNull If I remember correctly, AD only remembers your last 8 passwords, so you really only need to rotate through that many (i.e. not keep inventing brand new ones).
-
@Bandic00t The exact number depends on what the admin set. Usually, there is a minimum password age as well to prevent exactly that.
-
@sbiewald Oh yea, I know about that. I thought AD only remembers the last 8 passwords. Thanks for the clarification.
Related Rants
My work network AD password has to be changed every 90 days or so and it is really getting to me now. I'm beginning to run out of passwords to use and may soon have to resort to writing them down on a piece of paper and lock it somewhere.
I get why we need to change it often. What I don't like is the stupid validation rules AD uses to check passwords. It doesn't allow variations and you have to use something completely new.
I have only been in the job for about 8 months and I have had a nightmare experience updating my password recently as the synchronisation failed and I was locked out of my accounts for a day or 2 rendering my useless and having to call support for help.
How the he'll am I supposed to remember my passwords when I have to change them that often!!!
rant
security
password