undefined | Better HN

0 pointsgnfargbl2y ago0 comments

The lack of use of a non-corp domain, the typos and the use of shortened links does sound like a form of incompetence, probably at the management layer.

However, the password rotation requirement was until relatively recently something that many IT auditors would actually recommend, even though it leads directly to bad user password choices. In fact I wouldn't be at surprised to learn that was still the case in a lot of places.

0 comments

bluGill2y ago

Fortunately NIST has specific advice that recommends against that which is admissible in court (in the US). I'm not sure how to work through the bureaucracy to do this, but your company should sue them in court for incompetence to get their money back.

Kye2y ago

I've seen multiple accounts from IT/security people who discovered something like "this could get the company in legal trouble" with links to details was exactly what got an otherwise intractable issue resolved.

flatline2y ago

Two then-current NIST standards (62 and 71?) side by side gave contradictory advice. It is a step forward though for sure.

homeyKrogerSage2y ago

It is. I work as an IT tech at a military defense contractor and they require regular recycling passwords, with a decent number of passwords remembered. They at least have complexity requirements applied so not 100% bad, but still archaic

resfirestar2y ago

The same NIST document (800-63) that recommends against password expiration also recommends against complexity requirements, instead organizations are supposed to develop a list of bad passwords that would likely be used in an external dictionary attack.

People understandably get really fired up by the idea of not having to change their password every 90 days, but forget that the guidelines are a package that contains a lot of "shall"s (no password expiration is a mere "should") that would be more painful for organizations stuck with a lot of legacy software, like the requirement to use two authentication factors and the use of secure authentication protocols.

withinboredom2y ago

Heh. I just increased a number in my password for my passwords. Then just repeat. So “CompanyName[00]” meets almost all complexity requirements and all I have to do is increment the numbers.

Note: I only do this when I have these requirements and I can’t use a password manager.

mondobe2y ago

Sounds like a certain BOFH story... have you ever thought about just adding another "s" to the end of your password instead?

DarkGauss2y ago

Yep. That leads directly to passwords like:

ReallyLongP@assword$01, ReallyLongP@assword$02, ReallyLongP@assword$03, and so on.

k8svet2y ago

Yeah, define recently.

j / k navigate · click thread line to collapse