Gets email from work

"New password policy introduced from next month

Passwords will have to include:
- a capital
- a lower case
- a number
- a symbol
- be at least 8 characters

Passwords will be be changed every 60 days with a new password not previously used"

Everyone starts moaning, there I am laughing as I'm in Linux and off their domain controller, and my windows laptop is a BYOD laptop and they don't want it on the domain :D

What's scary is they are just introducing this

How is it possible to check whether the password was already used while storing them in a secure way?
Or are they just hoping nobody will hack them?

@deadlyRants even if you store it hashed, the same password will give the same hash if using the same salt.

The real error is enforcing symbols instead of increasing minimum length to 10 or 11.

Symbols makes passwords an order of magnitude more difficult to remember and will have users try to make easier to remember passwords which will begin to follow easy to guess patterns and also make them easier to crack.

@Voxera precisely. This is demonstrated very well by one XKCD comic.

A way around this amazingly secure system:

Start with P@ssword1, then after 60 days use P@ssword2, 60 days later P@ssword3, etc, etc.

@chrisrhymes you won't believe but a close friend of mine uses geheimX (X is a number incrementing every password change) for all his passwords. Geheim is german for secret.

@lorki97 and what's his username? 😀

@chrisrhymes surname.forename

His justification for his password:
If they kidnap me and want to know my password I'll say "My password is secret".

Well he for sure will be dead quickly :D

@Voxera why would symbols make a password harder to remember?

Considering you should not use words in your password, a symbol makes no difference.

@chrisrhymes I do something similar

P@ssword185
5P@ssword18
85P@ssword1

Until it gets hard to remember like
rd185P@sswo, here is when I set a new one.

@mundo03 Either you use an obvious symbol which adds no extra security (crackers try those) or you add a less obvious which is easier to forget.

Remember, if you use the same symbol for many passwords your degrading the value anyway.

I have one such service that require a symbol where I have to login only once a month and I always try to remember what symbol and where I added it.

WTF. This would not even be a big deal to anyone using a password manager / vault. All of our passwords are at least 24 characters, completely random, and unique for every single employee login on every client site. Any passwords you can remember or use in more than one site are by their nature insecure.

New password policies.
From yesterday, every password will have to include:
- at least 1 uppercase
- at least 1 lowercase
- at least 2 digits
- a symbol
- a Ghandi's quote
- a prayer
- a slice of pizza
- a virgin
- an singer from current top 100 pops song in iTunes list
- a dog breed
- an algorithm to solve rubik's cube

The password must not include:
- not contain your name
- not contain your surname
- your birthday
- your parent's name/surname
- the name of your dog
- your address
- ugly betty as virgin
- justin bieber as singer
- pizza qith ananas topping

Password will be at least 128 characters.
Passwords will be resetted every week.
It will not possible to use one of 999 previous passwords, nor share more than 3 consecutive characters.

Some users i know may roll whit a strat like this: monthyear or season year and decorated with the same symbol like:

Summer2017!

May2017!

This password policies are no good. I realy like the xkcd idea of having an big entropy by chaining relationless words.

@Voxera ah, makes sense.

I use a personal password algorithm. Easy to remember, hard to brute force and unique for every site.

I used to do 1q1q!Q!Q it's only three keys counting shift and you can make it eight or 16 characters. Then after 60 days it becomes 2w2w@W@W etc. I can type that combo in about 2 seconds it's easy to remember and it meets every requirement I've come across.

My work password was 4by*hRgGQ9VG at one point. Just randomly generated using LastPass. And I rembered it when it was. And I feel so proud about it to this day.

Enforcing any metric besides length is counter productive. It makes passwords hard for people to remember and it really doesn't slow down a brute force attack. At most, it will dodge a rainbow attack. NIST has some very good recommendations for how to handle password security.

I really should begin using random words in my natural language separated by spaces together with a real password manager that isn't passwords.google.com 🤔

@deadlyRants you could dump ntdis and decode it store the hashes for each user and compare, I don't know if you can have this in AD though

@robzombie111 2FA is not cheap for Active Directory

@chrisrhymes ah password mutations not an easy way round this with AD

This will force people to have their password written under their keyboard...

@tomi145 ...or on a post-it below the box of the nearest product, as once seen in an electronics store.

First password : Super_cat1
Second password : Super_cat2
...
256th password : Super_cat256

@tomi145 actually, this is sometimes more secure than an easy password.

Today most breaches that involve passwords are done by some outside part that would never get physical access.