This website contains age-restricted materials including nudity and explicit depictions of sexual activity.
By entering, you affirm that you are at least 18 years of age or the age of majority in the jurisdiction you are accessing the website from and you consent to viewing sexually explicit content.
My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements. All systems automatically lock or logout after 10 minutes of inactivity, so users are forced to type in their credentials frequently throughout the day.
Yes people suck with creating decent credentials, but it’s the company’s security policies breeding that behavior.
I don’t get why people get upset at frequently expiring passwords. It’s not hard: just write it on a postit note and stick it on your monitor.
Same. They also don’t allow password managers and I have multiple systems that don’t use my main password, so I have at least 5-6 work passwords for different systems.
Nobody can remember all that.
So everyone makes the simplest password they can (since it has to be regularly typed in) and writes it down somewhere so they don’t forget it.
Outdated security practices & cargo culture. Someone should roll up a copy of NIST SP 800-63 to smack them over the head until they read it:
Maybe ask them their security qualifications & whether they follow the latest security research & industry standards.
Tell them the NIST recommendations for password frequency changes have been really reduced in recent times because it pushes people into other bad password practices. Among all factors, changing the password frequently is the least important.
And yet admin, 1234, test, etc. remain the most commonly ‘hacked’ passwords. Your company’s policies may be annoying, but they certainly don’t make you use unsafe passwords.