Poll of the Day > FML, My company is now requiring all passwords be EIGHTEEN DAMN CHARACTERS LONG

(+) Yeah! (+)

PLUS we have the stupid policy of passwords being changed every 90 days.... Looks like I will be one of those people with passwords freaking written down now.

I prepend the month and year in front of all my passwords and just rotate it every month. easy to remember and it's enough unique characters to stop it getting picked up. it's also good if you come back from like 3 weeks holiday and you only have to remember what month you set your password

ie 0322xxxxxxxxxxxx

idgaf if someone can guess my work pw tbqh so i don't really keep the prepend info a secret

welcome to security. just have a notebook, and you'll remember the password quickly enough

It was the best of timesIt was the worst of times!1

Mr. and Mrs. Dursley of number 4, Privet Drive, were proud to say that they were perfectly normal, thank you very much.

So all of a sudden TC can't remember a phrase? Guess I can't say I'm surprised.

passwordpasswordpassword, there you go, 24 characters long can a random number and uppercase letter to make it more secure

mypasswordis______

And then you only need a 6 character password.

hypnox posted...

policy of passwords being changed every 90 days

Only 90 days, that's not too bad, and at eighteen characters it likely keeps all but a state actor from hard cracking it.

Think up a nonsense phrase and replace some of the letters with numbers l33t h4ck3r style, something like:

1und3r5t4ndy0umr45p4r4gus

Also, if you are inconsistent with what letters you replace with numbers, it becomes harder to crack even if someone does find your nonsense phrase.

I no longer have to deal with that but my personal passwords are all generated from a personal pass phrase that creates an unique and indecipherable alphanumeric string at the desired length for each login I use; I don't think I actually know any of my passwords :P

KodyKeir posted...

Only 90 days, that's not too bad, and at eighteen characters it likely keeps all but a state actor from hard cracking it.

Think up a nonsense phrase and replace some of the letters with numbers l33t h4ck3r style, something like:

1und3r5t4ndy0umr45p4r4gus

Also, if you are inconsistent with what letters you replace with numbers, it becomes harder to crack even if someone does find your nonsense phrase.

I no longer have to deal with that but my personal passwords are all generated from a personal pass phrase that creates an unique and indecipherable alphanumeric string at the desired length for each login I use; I don't think I actually know any of my passwords :P

This is stupid.

hypnox posted...

My company is now requiring all passwords be EIGHTEEN DAMN CHARACTERS LONG

Most of mine are pretty close to that as-is. The real problem is if they require them to be strings of fully nonsense rather than actual words or things you can use mnemonics for.

Like, say, using the Ring verse from Tolkien (Three Rings for the Elven-kings under the sky, Seven for the Dwarf-lords in their halls of stone...), and then turning that into "TRftEkunsSftDlithos". That's a pretty complex password, but also one that's relatively easy to remember as long as you remember what the "key" is.



hypnox posted...

PLUS we have the stupid policy of passwords being changed every 90 days.... Looks like I will be one of those people with passwords freaking written down now.

The irony, of course, being that when you write your password down, it increases the risk that someone else can physically find it, steal it, or copy it (or you can just lose it), thus compromising security more than just having an easy to remember one.

That being said, a lot of this depends on just how important access to your work account is. I'd rather have rigorous security for someone working in a major bank, maybe less so for someone doing stock management data-entry for Wal-Mart or something.

Aintnobodygottimeforthat69!

Changing password every 3 months has been a standard at my company for years now (although we only require 15 characters). However, they only require one character difference and the password only has to be different then the last 10 passwords, so just +1 a random digit in the password and you are good to go.

Also, the password is used for every account, including our "password vault" that randomly generates a 40 character password you use for database access every 24 hours.

Use a phrase from a song you love

correct horse battery staple

Im the military, wed use:

!QA@WS#ED1qa2ws3ed

For the next 90 days, you could either do:

1qa2ws3ed!QA@WS#ED

Or

@WS#ED$RF2ws3ed4rf

Whatever floats your boat

I don't see why this is an issue in the era of auto-generated passwords.

My password is out of the ___

Judgmenl posted...

I don't see why this is an issue in the era of auto-generated passwords.

The 1st problem would likely be trying to unlock or cold boot your work PC for the first time and you can't log in because you need a password. auto-generated password doesn't help with this problem and creates a new one of trying to copy it from your phone or somewhere else.

Joshs Name posted...

cold boot your work PC for the first time

Back when I worked at the phone company, we had keyboards with built in chip readers, just slide your employee id in and you were logged in. I don't think anyone actually used the function though...

KodyKeir posted...

Back when I worked at the phone company, we had keyboards with built in chip readers, just slide your employee id in and you were logged in. I don't think anyone actually used the function though...

My last job had biometric scanners. Loved that so much.

hypnox posted...

My last job had biometric scanners. Loved that so much.

My current laptop is government surplus so it has that option, was great at first but I find I have to clean the sensor constantly and even then it's still a little wonky but I chalk that up to it being an early gen model.

Just to explain why some security guys think this is usefull:

The biggest threat is always using the same password.

You used your mail and password for cheapsite.com and cheapsite.com got hacked and didn't secure the password as it should? good job, your combination of mail + password is now totally insecure, no matter how strong the password was.

Happend to me too, using my spam mail (for sites I don't give a f) and most used password (for sites I don't give a f) on a site, and it got hacked. Years later, I created a Ubisoft account because I needed one for some game and...

It got hacked in under 2 hours. Because the mail+password in clear text was leaked and part of some hacker database, automatically attacking everything 24/7.

So, IT security wants to make sure that people don't use their company passwords multiple times in private use.

Sadly, the approach is always long passwords and changing it every time. That ensures that you will never use this password privatly. But the result is usually pretty lazy passwords, or passwords writen down next to the desk, INCREASING the risks.

In my old company, we had to change the password every month.

I swear, I'm sure you could hack 10% of all employees with trying "January2022" or similar passwords.

Joshs Name posted...

The 1st problem would likely be trying to unlock or cold boot your work PC for the first time and you can't log in because you need a password. auto-generated password doesn't help with this problem and creates a new one of trying to copy it from your phone or somewhere else.

Well this is solved by not using company-provided hardware.
Actually, my work laptop runs Linux as well.
But yes, my post was kinda lame and didn't consider the obvious that most companies are entirely entrenched in the Microsoft environment and have actual IT departments and whatnot.

Qwertyuiop!@#$%^01

Assuming you need upper & lower case letters, numbers, and symbols. And every time you have to change your password you just increment the number. Qwertyuiop!@#$%^02, Qwertyuiop!@#$%^03, etc

Back when I worked at the phone company, we had keyboards with built in chip readers, just slide your employee id in and you were logged in. I don't think anyone actually used the function though...

I liked the way they did it at the Corps of Engineers. You insert your CAC (Common Access Card) into the slot on the laptop or the keyboard, then type in a PIN. Boom, two-factor authentication! Can't log in without the card, can't use the card without the PIN.

Just be careful, entering the wrong PIN just 3 times locks the CAC and it can only be unlocked by going to a RAPIDS office and submitting all kinds of ID & fingerprints.

I often pick a piece of media that has recently been announced or come out around the time I need to change my password and then pick a date and then put an exclamation point on the end or something. Most video game titles, for example, have both capital and lowercase letters and sometimes numbers in them.

I DGAF anymore. I have my passwords in a text file in my user directory storage. Not only do I have to change passwords, they have to be 16 characters with a letter, number & special character, but I can't use the last 6 passwords. I don't remember that far back anymore, so I just keep a log and rotate through them.

If anyone saw it they would have a heart attack - but after a day of forgetting my password after I changed it - it just isn't that important anymore in my eyes.

Yeesh. I have a rotating password that's 17 characters long but that wouldn't even work.

I think at that point your company should consider alternative verification methods than simple password complexity (such as 2FA).

AndyReklaw posted...

mypasswordis______

And then you only need a 6 character password.

You're an absolute genius

PolloftheDayhypnox

18 characters

Judgmenl posted...

Well this is solved by not using company-provided hardware.
Actually, my work laptop runs Linux as well.
But yes, my post was kinda lame and didn't consider the obvious that most companies are entirely entrenched in the Microsoft environment and have actual IT departments and whatnot.

Super agree. I only remember vividly because my last company was locked down like this. 2mfa, 18 character rotating password, every time you even locked your pc.

captpackrat posted...

I liked the way they did it at the Corps of Engineers. You insert your CAC (Common Access Card) into the slot on the laptop or the keyboard, then type in a PIN. Boom, two-factor authentication! Can't log in without the card, can't use the card without the PIN.

Its not bad Until youre locked out on an off shift. Some bases have personnel 24/7, and some had a person in squadron who could do it My base has neither So, if youre locked out on an off shift, youre just screwed That said, so many people had other peoples pins that it was almost pointless to have them. Haha.

Make it literally say eighteencharacters

I remember one website telling me my password was too long.

shadowsword87 posted...

This is stupid.

https://gamefaqs.gamespot.com/a/user_image/7/6/1/AABn_6AADFc5.png

Seems like they follow this method, which isn't TOO bad. The only part is the inconsistent leet code changes. That'll make it probably in the realm of hard to remember rather than easy. The point is to prevent brute force hacking, not social engineering hacking, where someone makes assumptions how people change letters into leet language.

I use phrases at times but they're original combinations and, honestly, I frequently forget them.