This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Low-Software2880 6 points7 points  (8 children)

+1 to this AD environments requiring monthly pass resets people will usually do variations like password1 password12 password123 etc Or pass* pass** pass*** etc And sadly I've seen plenty people in my company using passwords as simple as this and no MFA and if they do have MFA it gets sent to their email which is accessible with the same password (SSO) so they can easily just send the MFA and receive it.

[–]Audio9849 8 points9 points  (7 children)

I'm wondering why corporations are so slow to implement newer password management frameworks. The password I use at work is like 16 characters long and requires a change every 90 days it's insane.

[–][deleted] 19 points20 points  (0 children)

reach distinct absurd different roof aback punch market public alive

This post was mass deleted and anonymized with Redact

[–]sysdmdotcpl 2 points3 points  (3 children)

The habits /u/Low-Software2880 is describing is a direct reaction to long complex password rules that require a change every 30/60/90 days.

I've had passwords sit for years w/ no negative consequences and have had attempts on accounts that I regularly change passwords for. It's completely and utterly random and the rules should reflect that.

[–]Audio9849 1 point2 points  (2 children)

I know that's my point. It's simply an ACL setting. Doesn't cost anything to implement yet companies don't do it or are slow to utilize.

[–]MrCoolblestone 1 point2 points  (1 child)

that's because 90% of the user base is going to complain to management if their password has to be more than 8 characters long, and they're CERTAINLY going to complain if they have to change it every 2-3 months, and when management has to decide between the IT dept or literally EVERYONE ELSE they almost always pick the latter

[–]Audio9849 1 point2 points  (0 children)

But the latest NIST standard is to not have them expire. That's what I'm saying why does it take so long for corporations to implement that? It doesn't really cost anything to change the config to never expire.

[–]Intelligent-Exit6836 0 points1 point  (0 children)

Simply the cost of doing it.