Your new password must have a symbol, a number, uppercase letter, lowercase letter, the middle initial of your name, the third number of your birthdate, your blood type (no dashes), the last character of your license plate and the middle number of your social security.
Oh AND it must be 16 characters long because go fuck yourself.
As of 2023, a 16 character password with just lower case letters could be cracked in about 713 years and the average employee stays with a company for about 3.9 years. I really think we are making people work to hard to make good enough passwords and that is how we get people making shitty passwords. And then we ask them to repeat this process every three months, and because getting a password reset is a pain in the ass they right “FuckTh15Pl@ce” on a sticky note under there keyboard (I found that one under a VP’s keyboard).
If we were doing passwords right it would be 12 characters, three character types, last until you leave the company or there is an incident. Also, by not requiring people to change the password every so often it one less thing for the IT Auditor to crab about.
My last employer did not, life was so much better after the policy change. Although my director lost track of how long he had worked there because he stopped incrementing his password every three months.
Your new password must have a symbol, a number, uppercase letter, lowercase letter, the middle initial of your name, the third number of your birthdate, your blood type (no dashes), the last character of your license plate and the middle number of your social security.
Oh AND it must be 16 characters long because go fuck yourself.
https://www.mcsweeneys.net/articles/your-password-must-contain-the-following
As of 2023, a 16 character password with just lower case letters could be cracked in about 713 years and the average employee stays with a company for about 3.9 years. I really think we are making people work to hard to make good enough passwords and that is how we get people making shitty passwords. And then we ask them to repeat this process every three months, and because getting a password reset is a pain in the ass they right “FuckTh15Pl@ce” on a sticky note under there keyboard (I found that one under a VP’s keyboard).
If we were doing passwords right it would be 12 characters, three character types, last until you leave the company or there is an incident. Also, by not requiring people to change the password every so often it one less thing for the IT Auditor to crab about.
NIST’s official password guidelines state you should not have password expiry unless there is evidence of a compromise
And no one listens to that.
That’s because they only read 800-63B and skip the other three documents.
The majority of accounts I have don’t have an expiry
I wouldn’t trust personal data with anything that does - they certainly don’t have any security professionals on staff
Every job I’ve had in the past 10 years makes us reset passwords periodically
10 years ago, that was believed to be best practice.
If they’re still doing it in the last 2-3 years, they don’t have anyone keeping up with modern security standards
At least it’s not your data
My last employer did not, life was so much better after the policy change. Although my director lost track of how long he had worked there because he stopped incrementing his password every three months.