The Off Topic Topic

[derspiess]

Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.

It's a pain, for sure.  But data security is a huge priority where I work given the nature of the data we process and it's required for certain certifications we hold, so I can't argue.  They give us an easy-to-use password management application and it's not too painful to get help resetting your password if you get locked out.

[MadImmortalMan]

Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.

Yep, that's the catch-22 with password restrictions. Too strict and it actually makes security worse.

[derspiess]

Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.

Yep, that's the catch-22 with password restrictions. Too strict and it actually makes security worse.

Disagree-- people can actually adapt to it once they stop whining.

[garbon]

Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.

Yep, that's the catch-22 with password restrictions. Too strict and it actually makes security worse.

Disagree-- people can actually adapt to it once they stop whining.

Disagree. At my last job where we had a flurry of passwords for different systems that were often changing - most employees were often writing down their passwords or had a text file on their desktop.

For most of the systems, you could use forget password function, which is what I used most of the time.

[DGuller]

Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.

Yeah, overdoing it on password security is actually counterproductive.

Agreed, I've had the same thought every time I had to remember what my new password was one day after resetting it.  I'm sure everyone has a system for coming up with the new version of the password, which is a very bad thing for security.

[DGuller]

I guess both.  Are you saying you just change the numerical characters at the end of your password?  None of my systems (I have to log into about 8 or 9 here and I may be forgetting a couple) allow that.  You get a "password exists in user history"-type error if you try.

If your system can actually recognize that "iluvmilfs7" is close to your previous password of "iluvmilfs6", then it's comically insecure.  That most likely means that the system has an unencrypted version of your password somewhere.  Good encryption systems make encrypted versions of even extremely similar passwords look very different.

[derspiess]

Amateurs.  There are several password tools available where you can securely store and retrieve passwords.  No excuse for writing it down on a post-it and leaving it on your monitor.

Again, once people stop whining about it they can adjust.

[derspiess]

I guess both.  Are you saying you just change the numerical characters at the end of your password?  None of my systems (I have to log into about 8 or 9 here and I may be forgetting a couple) allow that.  You get a "password exists in user history"-type error if you try.

If your system can actually recognize that "iluvmilfs7" is close to your previous password of "iluvmilfs6", then it's comically insecure.  That most likely means that the system has an unencrypted version of your password somewhere.  Good encryption systems make encrypted versions of even extremely similar passwords look very different.

Incorrect.

[DGuller]

Amateurs.  There are several password tools available where you can securely store and retrieve passwords.  No excuse for writing it down on a post-it and leaving it on your monitor.

Again, once people stop whining about it they can adjust.

My workplace had that system for many years.  Of course I've adjusted, but not in ways that enhances the company's security.  I would imagine that my passwords are easy to guess, even with the special characters, because I have to be able to remember the new version of them every month.  If I didn't have to change the password constantly, I could use some ungodly mess of special characters that would be much more difficult to crack.

[DGuller]

I guess both.  Are you saying you just change the numerical characters at the end of your password?  None of my systems (I have to log into about 8 or 9 here and I may be forgetting a couple) allow that.  You get a "password exists in user history"-type error if you try.

If your system can actually recognize that "iluvmilfs7" is close to your previous password of "iluvmilfs6", then it's comically insecure.  That most likely means that the system has an unencrypted version of your password somewhere.  Good encryption systems make encrypted versions of even extremely similar passwords look very different.

Incorrect.

Which part?

[Grey Fox]

Not allowing it makes it even worse. The more you make it harder to remember a password the more likely it's going to be written down.

It's a pain, for sure.  But data security is a huge priority where I work given the nature of the data we process and it's required for certain certifications we hold, so I can't argue.  They give us an easy-to-use password management application and it's not too painful to get help resetting your password if you get locked out.

Half my work is under ITAR. What do you think security is like?

[Ed Anger]

Shitty. Like at most places.

[derspiess]

I guess both.  Are you saying you just change the numerical characters at the end of your password?  None of my systems (I have to log into about 8 or 9 here and I may be forgetting a couple) allow that.  You get a "password exists in user history"-type error if you try.

If your system can actually recognize that "iluvmilfs7" is close to your previous password of "iluvmilfs6", then it's comically insecure.  That most likely means that the system has an unencrypted version of your password somewhere.  Good encryption systems make encrypted versions of even extremely similar passwords look very different.

Incorrect.

Which part?

That it's likely storing passwords unencrypted if it's able to compare.  No way we'd pass the multiple audits we endure if that were the case.

[Grey Fox]

Amateurs.  There are several password tools available where you can securely store and retrieve passwords.  No excuse for writing it down on a post-it and leaving it on your monitor.

Again, once people stop whining about it they can adjust.

That's barely any better than writing it down on a post-it affix to your monitor. One more database for the Chinese to hack.

[Ed Anger]

I keep my password list up my rectum. Hack that China.