Comment on I will burn this fucker to the ground... internally
miss_demeanour@lemmy.dbzer0.com 2 days ago
I was driving limo and the CEO client (who I knew quite well, client-wise) spent the first 30 minute if the trip on the phone insisting that his original password be restored, as the ‘system’ was insisting it be changed.
He told me he has to repeat this every 4 months…
Drusas@fedia.io 2 days ago
To be fair, simply forcing users to create a new password every X weeks is bad security policy.
echodot@feddit.uk 2 days ago
It is and it’s actually not even recommended best practise to change passwords anymore precisely because of this. It hasn’t been considered best practise since I think around 2016-17 to businesses are really lagging.
If you get governmental contract work and pretty sure not resetting the passwords to often is actually now part of the security requirement but outside of that businesses just do what they think is best regardless of research.
Opisek@piefed.blahaj.zone 2 days ago
It’s actually even outright discouraged by NIST.
For those who don’t see the reason why, forged password resets lead to users using predictable passwords like “password2025october”, “password2025november”, etc.
Drusas@fedia.io 1 day ago
Yep. Back when I was being forced to reset my passwords every 90 days, I needed some way to remember the new password, so I developed a strategy like that. Whatever beverage is currently on my desk plus @ plus the time. Water@1257, for example. It's so nice to have the option to randomly generate a strong password these days.