• Techognito@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      This in addition to giving users passwords from hell if they refuse to use self-service.

      pwgen 32 what a great friend you have been

      • JJROKCZ@lemmy.world
        link
        fedilink
        arrow-up
        9
        ·
        1 year ago

        Refusal isn’t an option they have. Usage of MFA and SSPR is required to work, they will not have access to company systems unless they comply. That is the rule at any company that takes data security serious at all.

        • Techognito@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          As someone who worked for an MSP, not all customers believe that they require these security measures. Especially smaller companies would jest they were too small to be a hacking target.

          Many users would call in saying their users didn’t work, while in truth their password was expired. We would tell them to use the sspr, and they would call back 10-15 min later and say that the sspr didn’t work. So instead of going through the steps to troubleshoot something in front of them, to prove that they were lying, we would set pwgen passwords and depending on when they called and their attitude we had a scoring system and use their score for the pwgen command. After some time of doing this, fewer users would call in and more of them would learn to use the sspr

          • JJROKCZ@lemmy.world
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            1 year ago

            Yea MSPs can’t do this because they typically support a bunch of businesses so small they barely need anything and aren’t worth attacking because there is no money to ransom. My comment is from the major Corp IT perspective

          • PM_Your_Nudes_Please@lemmy.world
            link
            fedilink
            arrow-up
            5
            ·
            1 year ago

            I mean, that’s what lots of users do. My state requires that all state employees change their password every 90 days. This just means everyone has an incrementing number at the end of their password. Because the idiot users just write it on a fucking sticky note, which totally negates the idea of password changes.

            • ridago@programming.dev
              link
              fedilink
              arrow-up
              8
              ·
              1 year ago

              Regular password changes haven’t been recommended procedure for several years now. The only problem it solves is preventing people from using the same password everywhere, but since everyone just sticks a number at the end anyways it doesn’t actually protect against that either

              • PM_Your_Nudes_Please@lemmy.world
                link
                fedilink
                arrow-up
                3
                ·
                1 year ago

                Exactly. The problem is that government policy is slow to change. So when the government has made it a required change every 90 days, that policy will stick around for decades even after the practice has fallen out of favor.