25
C0D4
3y

Wow, I'm going to have a hard time remembering this one.

IT have changed after so many years the password criteria for our machines, to the point it's a bit ridiculous.

Like I'm all for securing your accounts and using random passwords but, this is rough.

Minimum of 14 chars
Not the past 6 passwords
Must contain several %}*]=[^{
Must contains numbers
Must contain upper case letters
Must contain Lower case letters
Must not end in a number
Must sacrifice a virgin on every login
Must be changed every 30 days

Comments
  • 20
    All are valid and important, except that last one.
  • 8
    If we're not speaking browser based access, but machine logons, then there's no way out but to write down the passwords. Congrats to IT.
  • 8
    @Root that last one takes the cake, by the time I get to a point of being able to remember this thing, it's going to be gone again 🥲

    @Fast-Nop O365 + machine login.
    So yea it's got to be put somewhere else, a typical person will just post-it note it to the screen. Guess my personal password manager just became the company one too 🤷‍♂️
  • 3
    wait, no 2fa?
  • 3
    @SuspiciousBug there's MFA for 0356 + most internal services, not machines though.

    not sure windows can even do MFA for machine login 🤔

    *a short time passes*

    A quick search shows it's not native anyway.
  • 6
    Is "must not end in a number" the mitigation of "You have this and that password requirement and each month you need to increment the number at the end by 1"?
  • 8
    @StopMotionCuber Yeah so you append some character at the end and put the number before that.
  • 7
    @StopMotionCuber

    what's stopping it from increasing it alphabetically?
  • 2
  • 4
    @mr-user don't do that too me 😅

    Or just adding the same last letter to the end

    MySuperPassword1a
    MySuperPassword1aa
    MySuperPassword1aaa
  • 1
    @UnicornPoo

    How about using other identity management like facial recognition?
  • 10
    Do you want password written on sticky notes?
    Because that's how you get passwords written on sticky notes
  • 2
    ...

    Windows has quite a few ways to completely move away from passwords. Why does nobody use this?
    A few buzzwords are "hello for business" and "virtual smartcards". One would only enter their pin / use biometrics, and if SSO is properly configured, one will never enter any password to use any web application.
    This is neither expensive (virtual smartcards: nothing, HfB and SSO: >2 Windows Server license) nor difficult to setup.

    Anyway, call your IT every 30 days (even better with a few colleagues), telling them you forgot your newly set password ;)
  • 2
    @sbiewald yes this last part definitely.

    Be compliant and to letter of the rules, but annoy the fuck out of them because of those rules. Make them change the rules because they can no longer handle the responsibility of upholding their own rules.
  • 1
    @C0D4, @Fast-Nop & @SuspiciousBug
    That's why we have biometric multi factor authentication.
    Xign.Me of the XignSys GmbH.
  • 0
    @sbiewald
    'virtual' smartcards?
    Well, for once, additional personal authentication devices a costly.
    Then, has MS gotten around to actually mastering their trade offer?
  • 0
    @UnicornPoo, @mr-user & @CuberDude
    .this
    Thank you
  • 1
    @scor Most (business) computers have trusted platform modules (TPM). Even though they are not perfect, they essentially have the same purpose and functions as smart cards (besides being non removable).

    Therefore, windows can use them as if they were one.
    There are no licenses required.
  • 0
    @sbiewald

    Yes. TPM. But had never heard of the virtual smartcards term.

    If one can emulate them, or (they might be) they are an abstract concept that can freely be implemented, that's good news.

    Do they allow logging in to a machine securely? And sadly, Windows Hello is not ripe for the market in the thought of validating transactions or opening business content to this 'authentication' method. Talking of spoof ad temper proof.

    What I am hinting and demanding is a contract signature trust level.
  • 1
    @scor Virtual and real smart cards replace the password in the kerberos tgt requesf, instead doing pkinit with a certificate.
    For NTLM (if not disabled) the NT hash is requested from the domain controller and can be randomized.
    The certificate on the TPM/smart card is to be issued by the domain controller and contains the username and optional groups, though the latter only reliably works on "always online" devices.

    A TPM cannot be emulated, as it is a chip on the mainboard or in the CPU firmware. Of course a hypervisor can fake hardware for VMs. They are generally designed to be tamper resistant, but can of course have vulnerabilities like any other device.
    Keys stored on it can be used, but not extracted.
    Besides for Windows authentication, other certificates can be stored as well.

    This might not be perfect, but undoubtly a lot better than passwords.
  • 1
    Oooooh well......most Big tech comapnies are working on completely removing the "password" feature
    #Google #Apple ...
  • 1
    And #XignSys

    @Taqsblaz3
Add Comment