my work apparently has annual password changes despite those being strongly discouraged so time to insecurely iterate my password ❤️ except they let you reuse a password after 2 years so you can just cycle 3 passwords of you want...... oh i love Cyber Security baby that's what we're talking about. - ThreadSky | a Reddit-style client for Bluesky

katie.bzky.team • 501 days ago

my work apparently has annual password changes despite those being strongly discouraged so time to insecurely iterate my password ❤️

except they let you reuse a password after 2 years so you can just cycle 3 passwords of you want...... oh i love Cyber Security baby that's what we're talking about.

Comments

cheesesnack.bsky.social•501 days ago

Been using keepass for like 15 years and I'm really not sure how anybody gets by without a password manager. There's a reason people keep recycling passwords or using the same ones across multiple accounts!

eilatan.bsky.social•501 days ago

I changed a single letter in my logon password for 18 years at OldJob. By the time I'd gotten back to the beginning of the alphabet, it was long enough ago that I could start over (we had to change every 90 days).

imi.baby•501 days ago

also this is proof you don’t work at raytheon their pw rotation and retention policy is longer than that

katie.bzky.team•501 days ago

lol

katie.bzky.team•501 days ago

wait how would you know this 😐🤨

imi.baby•501 days ago

raytheon was my first job in tech, before i realized i didn’t want to work for a weapons manufacturer. good thing though is for about 7-8 months i got paid $75k/yr to literally do nothing but come to an office every day

katie.bzky.team•501 days ago

oh goodness

imi.baby•501 days ago

yeag not the best move in my life. oh well at least i got a bunch of money from them for nothing lol

rawls.bsky.social•501 days ago

Relatable, had the same with big oil.

imi.baby•501 days ago

yeag. glad to have left there after realizing a bit more about the world lol

imi.baby•501 days ago

we do rotations every 6 months! fucking great! easy to remember and iterative passwords instead of unique ones! yay!

nonbinary.computer•501 days ago

My work forces it like 3x a year. It's so stupid. Our IT department is staffed by morons, i swear. They take away useful services and make everything a huge pain in the name of "security" and then do a ton or other boneheaded shit that renders the above worthless.

vixentoes.com•501 days ago

Better than every two months like my last employer. A short password changed frequently is terrible too.

katie.bzky.team•501 days ago

it's so much worse than one Really Good password

deadontheoutside.bsky.social•501 days ago

correcthorsebatterystaple

katie.bzky.team•501 days ago

https://bsky.app/profile/juicysteak117.gay/post/3kcm2k56ie42k

deadontheoutside.bsky.social•501 days ago

lol i'm a dork and you are the best 💜

iswearima.top•501 days ago

I just don't understand how companies still fuck this up. Like it's MORE WORK TO DO THE WORSE OPTION

vixentoes.com•501 days ago

Seriously! It’s bad security theater imo.

fooddatanerd.com•501 days ago

Annual? I have to change my passwords every month.

nephareus.bsky.social•501 days ago

Lucky, I have to do mine monthly

databitmc.bsky.social•501 days ago

my most recent job we had to change our main password every 2 months, and of course we also had all the tool specific passwords that had to be frequently changed as well. most of us kept an unencrypted excel file for our tool specific credentials.

cuil.world•501 days ago

my org's password rules are super aggravating, the number of previous passwords you can't use is like a million and the min length is roughly the entire text of beowulf

i know my password every time but i typo it 1-3 times on average just because of how fucking long it has to be

dvindictus.bsky.social•501 days ago

As someone getting into Cyber Security, this practice makes my skin crawl

katie.bzky.team•501 days ago

it seems like a fun field to get into. it also seems like a maddening field to get into

boshyboo.bsky.social•501 days ago

Imagine your whole world is full of imaginary locks that you give out to other people except they hate them and get around them any chance they get and you have to apologize for it every time but you get paid to do it so

miketerhar.com•501 days ago

Have you tried changing your password 3 times in a day and then going back to your regular one?

katie.bzky.team•501 days ago

i think it's any used in the last 3 years not last 3

miketerhar.com•501 days ago

I made a macro that changed my password 11 times because that was the number they stored historically. They added a "one per day" rule after a few years of my shenanigans.
So it took me 2 weeks to get back to my good password.

katie.bzky.team•501 days ago

that's so fucking funny

doctorswords.bsky.social•501 days ago

Several of my work passwords are just press 'reset password' each time I need to log in.

andhab.bsky.social•501 days ago

I used to work somewhere that did this every 90 days

oli-polit.bsky.social•501 days ago

What will you do, of you have only two kids?

katie.bzky.team•501 days ago

what

kiki.whitecanof.monster•501 days ago

Mine does them quarterly 💀

deadbarchetta.bsky.social•501 days ago

Yep same here. As well as a few other outside accounts I have to maintain for work. We deal with HIPAA protected information so I get wanting to make it robust, but if I can't remember all (or any) of them anyway...

kiki.whitecanof.monster•501 days ago

the amount of resets I’ve had to do bc I forgot my passwords…

deadbarchetta.bsky.social•501 days ago

My work: don't save your passwords to your browser's password manager

Also my work: change your password every 90 days, you cannot repeat one for 5 years, each password must contain a capital letter, a lowercase letter, vowel, number, and a secret hidden letter lost to memory.

My ADHD ass: [dies]

katie.bzky.team•501 days ago

the browser password manager thing i mostly get, although tbh i think it's a balance of security vs ease of use because the difference in security is marginal, but it's a bit outdated thinking anyways. getting people to use them AT ALL is really good

deadbarchetta.bsky.social•501 days ago

My supervisor has recommended I use something like KeyPass (I think that's the name) which is a third-party password manager that's supposed to be more secure

eldritchanchovy.bsky.social•501 days ago

So your work’s password policy is effectively “write your password on a post-it stuck to your monitor”

deadbarchetta.bsky.social•501 days ago

Yep

feste.bsky.social•501 days ago

Would this dissuade your work from enforcing the outdated and actively-recognized-as-insecure policy?

https://specopssoft.com/blog/nist-800-63b/

deadbarchetta.bsky.social•501 days ago

Highly unlikely

krysiej.xyz•501 days ago

I actually came here to point this out. But, having gotten into an argument with DISA, DoDCIO, and DoNCIO, as well as calling out the security manager from Fleet Cyber Command on this, I promise, they wont care. You could even provide the citations from Krebs and Schninier and they wont listen.

promethean.bsky.social•501 days ago

There is a program I use at my job, where I have to change the pass every 60 days; it has to contain a capital letter, lowercase letter, number, symbol, cannot have consecutive repeating characters, and MUST be EXACTLY eight characters long...

It hurts me every time I log-in

katie.bzky.team•501 days ago

WHY MUST IT BE EXACTLY 8 THAT'S INSANITY

promethean.bsky.social•501 days ago

I KNOW?!?!? WHAT DO THEY THINK THEY'RE DOING???

OH, ALSO WHENEVER YOU RESET THE PASSWORD YOU CAN'T USE ANY OF YOUR PREVIOUS 13 PASSWORDS!

katie.bzky.team•501 days ago

THAT SHOULD BE ILLEGAL

jebeck00.bsky.social•501 days ago

Same with my employer except no symbols.

willemdafomo.bsky.social•501 days ago

My previous job, one of our tools was a Linux command line through PuTTY. the password changed every 90 days, and to get a new password, I had to file a request ticket with L2 support (I was L1). The new PW was sent by email...

katie.bzky.team•501 days ago

NOOOOOOOOOOO

willemdafomo.bsky.social•501 days ago

It was a nightmare job in many ways.

eidorian.bsky.social•500 days ago

You think that is bad?
An ISP I used years ago suspected a data breach. Everyone had to change their password. Then they confirmed the new password - by snail mail 😖
Those are the days your last bit of hope for humanity curls up and cries.

katie.bzky.team•500 days ago

NO

eidorian.bsky.social•500 days ago

Yes. It happened. It left me speechless at the time.

katie.bzky.team•500 days ago

i signed up for a forums recently that emailed me my username and password i could not fucking believe it lol

adhdgobl.in•501 days ago

Drop the company name, I want to exploit them for money and laughs.

promethean.bsky.social•501 days ago

Would you be at all shocked if I mentioned that this program is owned by one of the largest financial institutions in the world? 😂

rahaeli.bsky.social•501 days ago

I used to work for a very large insurance and financial institution and let me say, working IT for a vary large insurance and financial institution absolutely makes you want to keep your money in Krügerrands buried under the shed

anhyatt.bsky.social•501 days ago

As an ex-bank employee, can confirm.

mjfgates.bsky.social•501 days ago

I knew a guy once who got paid in Krugerrands, and let me say that watching that guy makes you want never to have anything to do with precious metals ever again. Make my next computer out silicon and iron, please.

yellownorco.bsky.social•501 days ago

Jokes on you. I have negative money by a whole lot

willemdafomo.bsky.social•501 days ago

my wife has worked for a series of insurance and financial corporations. the waste is staggering.

bellmore.bsky.social•501 days ago

😱

parlei.bsky.social•501 days ago

One system requires upper case and lower case, but then normalizes to lower case when it checks them. And only the first 6 characters count. And yes, there is sensitive information inside that system.

eidorian.bsky.social•500 days ago

That last requirement is scary: it usually indicates that passwords are not hashed but stored in plaintext 😱

vafnord.bsky.social•500 days ago

This is infuriating. I worked supporting a system that had similar rules and there is simply no reason to force a short password.

I'm sure this is quite annoying, but it's almost shocking to hear of any organization taking strong passwords this seriously (yet undercutting it with the short length).

oopsalldraculas.net•500 days ago

Hell, these restrictions with an 8 character max actually reduces the total number of possible passwords by striping away permutations.

promethean.bsky.social•500 days ago

I know! It's absolutely bewildering to me! At least they lock you out after three failed attempts, and force you to reset your password

vafnord.bsky.social•500 days ago

I did password changes for the users (~500 people) and there were several per day changing their password because they couldn't remember it. The allowed length was 8-9 characters (?!?!) and it required a special character, but many weren't allowed (bad devs) and the users were struggling with it

bellmore.bsky.social•501 days ago

SAP?

promethean.bsky.social•501 days ago

Nope!

naiad.bsky.social•501 days ago

my job has quarterly changes 🤩

ejpratt40.bsky.social•501 days ago

Mine was always something like WerkSucksArse99$ IT was always highly amused.

shotgun.orchiecto.my•501 days ago

I hate dumb arbitrary security rules like this that just make things needlessly complicated

bexone.bsky.social•501 days ago

Previous job had us changing passwords quarterly

You BET I had a system that only would have taken cracking once to open literally every system I had access to forever

nygaard.bsky.social•501 days ago

I need a never b4 used pass every 3 months, and our systems are on slightly different timeliness. I'm resetting a password ~7 weeks

normalhu.mn•501 days ago

The password changes are discouraged if you have other protection methods in place. Once a year isn’t bad, tbh. It’s great advice theoretically, in practice it’s harder to achieve. You need strong MFA, passwordless authentication methods like certs or other tokens, etc. to comfortably cease rotation

katie.bzky.team•501 days ago

theoretically it's not terrible but in practice it's wildly ineffective for most users

normalhu.mn•501 days ago

Agreed it’s primarily security by obscurity especially if your key resources are protected with MFA. But better than nothing if you aren’t- A small IT shop that doesn’t have the resources to implement protections external to the password doesn’t have the resources to track compromised creds imho

normalhu.mn•501 days ago

My biggest battle with customers right now is just getting MFA enabled. For those that have MFA, the next step is password managers that employees can use for non-work related accounts to help encourage using different passwords everywhere. Then the “no more password rotation” policy is up.

katie.bzky.team•501 days ago

oh yeah totally fair. getting people to use mfa is a fucking chore lol, let alone password managers. i at least appreciate that browser managers are lowering friction siginificantly

parlei.bsky.social•501 days ago

Annually? You obviously do not take security very "seriously": we do it every 3 months. My WAG is that >50% just iterate the terminal digit (we naturally need upper case, lower case, digit and special character. So "Password1!" is superdupergood, while "fgretekl5pjtvrdrtart" is insecure.

katie.bzky.team•501 days ago

lol

ripperoni.com•501 days ago

It’s a classic

katie.bzky.team•501 days ago

the recommendation from someone that i should look into cyber security compliance roles... maybe they're onto something

neil-ramsay.com•501 days ago

Password!
Password!!
Password!!!

katdebvan.bsky.social•501 days ago

I'm so jealous, my office is every 90 days 😫

pinkest-nekomata.bsky.social•501 days ago

Makes me so angry. Especially since 99% of people just increment up the number in their already mediocre password, making it exactly 0% more secure

katie.bzky.team•501 days ago

exactly! total security theater

polyrhyth.ms•501 days ago

They require password changes but dont provide a password manager? eek

katie.bzky.team•501 days ago

i think there is one but it's not required. YUCK

virtualplay.gay•501 days ago

I have 3 different systems I log into at work that have different "change password" timers of 2-4 months, and they don't let you reuse the last like, 8-10?

so yeah I rotate through for each of them every couple years lmao

katie.bzky.team•501 days ago

oh i HATE that

slacklizard.bsky.social•501 days ago

I’d recommend annual changes over 90 days every time

katie.bzky.team•501 days ago

well yes but No Changes is better than Annual Changes which is the point

pyrholidon.bsky.social•501 days ago

I despise having to think up a new password every 90 days so I end up reusing similar combinations of phrases and numbers each time.

travbot.bsky.social•501 days ago

It’s a bummer my kid is 8 and talks like a regular person. When they were a toddler they were a paraphrase generating machine

katie.bzky.team•501 days ago

lol

travbot.bsky.social•501 days ago

I put one the ones I don't use anymore into one of those "how long would it take hackers to hack your password" sites and got 4 quadrillion years, which seemed decent. Definitely the best of anyone on the mandatory IT security training call.

katie.bzky.team•501 days ago

a decent length passphrase with some symbols and such is The Play. my main passphrase is like 30-40 something characters and it's extremely simple for me to remember. my work one is a 16 char gobbly goop one but it flows nicely so i have it memorized somehow

sharpmao.bsky.social•500 days ago

I have to change my work password 3 times a year. I always have the same base password, just changing the postfix.

reply.guyfieri.info•501 days ago

so me coded

reply.guyfieri.info•501 days ago

“which letter becomes a number this time”

pete.social•501 days ago

We’re required to update our passwords every 90 days AND use 2FA on every single device we utilize.

They claim to be following Microsoft’s lead… But isn’t MS leading the charge against consistent password updates?

shuchancellor.online•501 days ago

Same cyber protocol and same claims made in house at the place I work at. Very dumb

parasocialista.bsky.social•501 days ago

When the government encourages you to make your password 16 blocks of 🐸🦄🌈🍑

https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/nists-new-password-rule-book-updated-guidelines-offer-benefits-and-risk

Comment image

pete.social•501 days ago

Finally, time to unleash my dream password - “✈️ + 🏔 = 🔥”

parasocialista.bsky.social•501 days ago

😱

loredena.bsky.social•500 days ago

We recently to using PIN or biometrics in addition to the already implemented 2FA. But we still have to change our password, that we don’t use and thus won’t remember, every 90 days. Makes sense!

binaryape.bsky.social•500 days ago

MS have announced they are removing that feature because it's a terrible idea and managers keep ignoring expert advice and using it to enforce regular password resets. I think some managers associate inconvenience and inefficiency with security - if it's a pain it must be good. Very frustrating.

mioris.bsky.social•501 days ago

this is what we do as well

katie.bzky.team•501 days ago

guess i can be glad i don't have 90 days then lol. 2FA on everything but that's good and they should do that

natanael.bsky.social•501 days ago

And NIST too for that matter

codepwnie.org•501 days ago

The problem is that NIST used to say password rotation and it takes corporations 30-50 years to update their NIST compliance and only after you drag them kicking and screaming. And then they're STILL 30 years behind the state of the art.

pete.social•501 days ago

30 years behind, you say? Is this why they recently replaced my IBM Selectric II with a Windows 95 machine?

codepwnie.org•501 days ago

omg

codepwnie.org•501 days ago

It's cheaper, in bosses eyes, to just have incidents. After all, the corporations aren't paying the full cost of those anyway!

rincewind.run•501 days ago

love to cling to wildly outdated security models~

al--s.bsky.social•501 days ago

mine makes us change it every three months but hasn't put any restrictions that would stop me simply adding 1 to the number at the end each time

tylerjameshill.com•501 days ago

When I use my password I like to put a 0 as the o so it's "passw0rd". Uncrackable 💅

nilbog3000.bsky.social•501 days ago

TSA security theater at the office

patrickb.net•501 days ago

If it's any consolation, us security practitioners aren't too keen on that either

The challenge is one part making sure all the supporting controls are in place to not need to care about password rotation and one part changing corporate IT policy being comparable to electing a new house speaker

jonvw4.bsky.social•501 days ago

If you only cycle 3 passwords how will you know how long you've worked there?

Password5 - your fully vested in the retirement plan

Password10 - you get an extra week of vacation

Password15 - they give you a cheap watch

katie.bzky.team•501 days ago

lol

jjofbc.bsky.social•501 days ago

My work makes us change it several times a year. The worst.

sarah.transsexual.gay•501 days ago

6 month password cycle hopefully my last one here

sarah.transsexual.gay•501 days ago

They also make us sign into the vpn with the same password we use to sign into the computer except there’s also a mobile 2fa

katie.bzky.team•501 days ago

oh i've got that. same password all over the org lol