this post was submitted on 23 Sep 2023
801 points (97.6% liked)

Memes

45581 readers
1 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 6 years ago
MODERATORS
 
all 44 comments
sorted by: hot top controversial new old
[–] MrQuallzin@lemmy.world 71 points 2 years ago (8 children)

One of our systems at work don't let you use the past thirteen passwords! Plus monthly password changes. Guess who's got a generic password that has an ever increasing number at the end of it...

[–] EvolvedTurtle@lemmy.world 37 points 2 years ago (1 children)

If I'm not mistaken It's actually shown to be bad to change passwords that often because you end up with people writing them down

[–] Squiddles@kbin.social 23 points 2 years ago

Yes, NIST now recommends against requiring periodic password changes in their official guidance document.

[–] ipkpjersi@lemmy.ml 17 points 2 years ago

Pretty much everyone, which is why NIST no longer recommends automatic password expiry anymore.

[–] bighatchester@lemmy.world 15 points 2 years ago (2 children)

One of my work applications doesn't allow you to use any of the letters in the same spot or any repeating letters . And it expires every 45 days . So for example if I used Batman1 for my password . I can't just switch to Captain2 because the second letter is the same . And you can't use something like Poophead because there are 2 O's in a row . It's a nightmare every time it expires .

[–] Confused_Emus@lemmy.world 7 points 2 years ago

When it expires, bump every character up by one - A/a becomes B/b, 1 becomes 2, for symbols use the next one on the row.

[–] MNByChoice@midwest.social 3 points 2 years ago (1 children)

That also means they are saving that information. I doubt a single character can be usefully hashed. Seems like a security nightmare.

[–] bighatchester@lemmy.world 6 points 2 years ago* (last edited 2 years ago) (2 children)

It's also some shitty program that is all black screen with green text that was probably made in the 90s . From what I understand it's used by a bunch of different shipping companies and very unintuitive to use .

Edit: just googled it and it was released in 1988 it's called As400

[–] MNByChoice@midwest.social 2 points 2 years ago* (last edited 2 years ago)

Ah, crap.

https://www.ibm.com/docs/en/i/7.1?topic=passwords-password-rules-qpwdrules

Those are some aggressive password rule options.

On the plus side, it may be over engineered all of the way to fuck and back. (Or not)

Edit: I searched for "as400 password rules" and that was the first hit.

[–] WuTang@lemmy.ninja 1 points 2 years ago

Mainframe is the notary caste of IT.

[–] Rambomst@lemmy.world 9 points 2 years ago (2 children)

I wonder what percentage of the company also do the same, would be an interesting statistic.

[–] dustyData@lemmy.world 9 points 2 years ago

It's an easy attack vector, hackers love it.

[–] Alexstarfire@lemmy.world 6 points 2 years ago

Venn diagram is a circle.

[–] Nelots@lemm.ee 8 points 2 years ago

This is what password managers are nice for. I only know like two of my passwords all across the internet.

[–] lugal@sopuli.xyz 5 points 2 years ago (2 children)

If it were 12, I'd say use the month, but 13...

[–] _Lost_@lemmy.world 4 points 2 years ago

Lousy Smarch weather

[–] rockerface@lemm.ee 1 points 2 years ago (1 children)
[–] lugal@sopuli.xyz 1 points 2 years ago

Lunar calendars also have 12 months but each is shorter and so the year is shorter. Some have a leap month but that doesn't help either. Sure, you can iterate thru these names but that doesn't help you to remember to current one. The idea of using months is that you know in which month you are right now.

[–] HurlingDurling@lemm.ee 5 points 2 years ago

I'm pretty sure most people do when faced with a situation like that

[–] andyburke@kbin.social 61 points 2 years ago (2 children)

FWIW: these types of password rules are discouraged by NIST -

  1. Eliminate Periodic Resets

Many companies ask their users to reset their passwords every few months, thinking that any unauthorized person who obtained a user’s password will soon be locked out. However, frequent password changes can actually make security worse.

It’s difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).

So if an attacker already knows a user’s previous password, it won’t be difficult to crack the new one. The NIST guidelines state that periodic password-change requirements should be removed for this reason.

[–] CluelessLemmyng@lemmy.sdf.org 16 points 2 years ago (2 children)

They also recommend implementing 2FA, but not OTP or TOTP as they are now considered not secure enough. Use 2FA that is FIDO2 compliant such as biometrics or fobs like Yubikey.

[–] RQG@lemmy.world 15 points 2 years ago (2 children)

I wish I knew what all those acronyms mean.

[–] dustyData@lemmy.world 17 points 2 years ago* (last edited 2 years ago) (1 children)

2FA - Two factor authentication, you get asked a second secret besides your password. Banks used to give users a card with codes that you had to find and input when authenticating with them.

OTP - one time password, you receive a code over SMS or mail.

TOTP - Time based one time password, you have to have an authentication app that creates a clock based cryptographic code.

FIDO2 - fast identity online standard version 2, is a set of ID verification technologies. Usually you're asked to confirm access on another certified device. Like google asking you to check your phone for a notification when logging into a new browser.

[–] RQG@lemmy.world 5 points 2 years ago
[–] BorgDrone@lemmy.one 5 points 2 years ago* (last edited 2 years ago)

2FA: two factor authentication. So using a password (something you know) in combination with something else, like something you are (biometrics) or something you have (security token, phone with authenticator app)

OTP: One-time password. A password you can only use once. Can be a list of passwords where you have to use the next one on the list with each login or any other mechanism that provides a unique password for each login.

TOTP: Time-based one time password. An OTP scheme where the password is derived from a shared secret and the current time. Like Google Authenticator.

FIDO2: Fast IDentity Online version 2. A standard that lets you use an authentication device to log into online services. This can be in the form of a USB key or something built into your computer (e.g. on a Mac you can use the built-in fingerprint scanner).

[–] Polar@lemmy.ca 2 points 2 years ago (1 children)

How is a TOTP not secure? It's a random string that changes every 30 seconds. I mean shit, I am LOOKING at it, and sometimes fail a login because I run out of time.

[–] Enekk@lemmy.world 6 points 2 years ago* (last edited 2 years ago)

The attack vector is as follows:

  1. Evil.com phishes a user and asks for username and password for Good.com
  2. Evil.com immediately relays those credentials to Good.com
  3. Good.com asks Evil.com for TOTP
  4. Evil.com asks victim for TOTP
  5. Evil.com relays TOTP to Good.com and does a complete account takeover

The various physical dongles prevent this by using the asking domain as part of the hash. If you activated the dongle on Evil.com, it'll do nothing on Good.com (except hopefully alerting the SOC at Good.com about a compromised username and password pair).

[–] sparky678348@lemm.ee 4 points 2 years ago

Yes never made much sense to me either.

[–] dingleberry@discuss.tchncs.de 15 points 2 years ago (1 children)

Why you click "Forgot my password" and they email it to you.

[–] kamen@lemmy.world 3 points 2 years ago

Security lvl > 9000

[–] arefx@lemmy.ml 14 points 2 years ago* (last edited 2 years ago) (1 children)

Spotify won't let you use a password you've used in the past at all so now I don't even know what my password for it has evolved into and I just reset my password and type something random in every time I need to log in lmao

[–] sheogorath@lemmy.world 10 points 2 years ago

That's basically just 2FA with extra steps (•_•)

[–] FARTYSHARTBLAST@kbin.social 13 points 2 years ago

Might be you got your password scrambled after a compromised account: It denies attackers the opportunity to use your compromised password.

[–] Mothra@mander.xyz 8 points 2 years ago (2 children)

Why does this happen though? I always wondered why is it that a platform recognises your old password only when you are trying to change it

[–] TankieTanuki@hexbear.net 3 points 2 years ago* (last edited 2 years ago)

Microscopic trolls inside the internet tubes. I think that's the technical term.

[–] BirdyBoogleBop@lemmy.dbzer0.com 0 points 2 years ago (1 children)

Because it runs the hash again on the new password against the old one, if it matches the old one you are told to change it as you used the old password again.

[–] Mothra@mander.xyz 4 points 2 years ago

Yes yes but I don't mean when I'm told to change one. I mean when I'm trying to login as usual, password doesn't work, so I change it. Just to test of the password I was using was wrong, that's what I use first- and it's rejected.

I remember Epic would do this on a DAILY basis at some point last year. It was so irritating. "Ah yes the brand new password from yesterday that worked yesterday but that we didn't recognise on the login page today? Well we do recognise here on the reset, jokes on you!"

[–] majestictechie@lemmy.fosshost.com 4 points 2 years ago (5 children)

I always find these types of posts frustrating. Apart from your desktop password, a password manager solves a lot of these issues. Just make the password manager super secure, use 2fa and then auto generate all other passwords.

[–] BolexForSoup@kbin.social 7 points 2 years ago

just make the password manager super secure

Remember when everyone said LastPass was that manager?

[–] mexicancartel@lemmy.dbzer0.com 2 points 2 years ago

I forgot my keypass password

[–] Tayphix@hexbear.net 2 points 2 years ago

The issue the post is about applies to password managers too.

[–] Mbourgon@lemmy.world 2 points 2 years ago

Can’t use it when logging into the laptop. And parts of the network have to be typed in - it detects and rejects pasting (haven’t built out an autohotkey to see if that would work)

[–] SpaceNoodle@lemmy.world 0 points 2 years ago

Literally unusable for my needs.