When you can't live without bananas

Get email updates of new posts:        (Delivered by FeedBurner)

Saturday, August 28, 2021

On insane IT password policies

Bitdefender: "It goes without saying: don't do this. 85% of employees who have received security training in the workplace continue to reuse their passwords."

Comments:

"Despite security training, the majority of systems engineers continue to use password protection as the default security model."

"Some people have enough trouble remembering one password let alone 10"

"You MUST have 10 unique passwords 🤦🏼‍♂️, 6 characters with upper lower case AND symbols… how can you expect people to remember them…"
"but some of the passwords require special characters, and others forbid special characters, so you can’t make it easy for yourself."

"Because when we're forced to use 20 different non-memorable passwords, we forget them. And all the password reset emails get routed into our inbox, so there's a single point of vulnerability - which is exactly what the strategy is *supposed* to prevent."

"If it weren’t for obnoxious password requirements, IT people wouldn’t have a job at all. The only thing they exist for is to reset forgotten passwords. The business would do just fine if we simplified passwords and downsized IT departments - after all, without 9 million password reset emails, they’d have less work to do."

"The combination of password complexity + making people change passwords every 90 days makes this inevitable."

"Must include a number, capital letter, and special character (but only from a limited set), AND it can’t be more than x characters long? How’s anyone supposed to remember made-up nonsense meeting all those criteria at once? Just get rid of the character cap and encourage people to use sentences instead of “words”. They’re easier for humans to remember and harder for computers to guess even if no additional characters are added. Something like “this is my yahoo password, yeehaw” is nigh unhackable by brute force (more so than xkYn23?d while being far more memorable), and you can have a personal formula for how you set up different sites that makes sense to you while still giving different passwords on each. "

"There was actually a government study that showed that these complex password rules were LESS secure. Either for re-use, or people writing them down on sticky notes and setting them by the computer."

"Doesn't help when employers prohibit the installation and use of password managers."

"Because only a computer could remember a different password for everything that requires one."

"I sent a complaint to IT and managers once when I received a password reset email days after a password security training session that said a secure password should be a series of words, not an arbitrary series of characters, digits and what not. They didn’t change the password policy, they instead took the training material off the list of recurring training sessions… 🤦‍♂️"

"So you want people writing these down on paper? That is the most insecure of all."

"you just dont look very professional when you are on field and you have to email a file to your customer: "could you print this for me please? I dont have the password to install the driver for the printer you use on my computer and this is not on our IT todo list to help me soon..." Because the first thing the new IT guy had done upon arrival is demoting all users to "restricted users" and making everyone wait for him every time you need to tweak your computers. In these cases I call it "Password Protected Job Security""

"its a conspiracy theory of mine, * chuckles* That we will all get SO tired of multiple passwords and changing them often, that we submit our thumbprints Happily~~."

blog comments powered by Disqus
Related Posts Plugin for WordPress, Blogger...

Latest posts (which you might not see on this page)

powered by Blogger | WordPress by Newwpthemes