• MrQuallzin@lemmy.world
    link
    fedilink
    arrow-up
    77
    ·
    1 year ago

    One of our systems at work don’t let you use the past thirteen passwords! Plus monthly password changes. Guess who’s got a generic password that has an ever increasing number at the end of it…

    • EvolvedTurtle@lemmy.world
      link
      fedilink
      arrow-up
      43
      ·
      1 year ago

      If I’m not mistaken It’s actually shown to be bad to change passwords that often because you end up with people writing them down

    • bighatchester@lemmy.world
      link
      fedilink
      arrow-up
      19
      ·
      1 year ago

      One of my work applications doesn’t allow you to use any of the letters in the same spot or any repeating letters . And it expires every 45 days . So for example if I used Batman1 for my password . I can’t just switch to Captain2 because the second letter is the same . And you can’t use something like Poophead because there are 2 O’s in a row . It’s a nightmare every time it expires .

      • funkless_eck@sh.itjust.works
        link
        fedilink
        arrow-up
        12
        ·
        1 year ago

        that would instantly make me very dumb and require a lot of explaining on the phone. like “when I say hello mister Thompson and press down on your foot then you smile and nod, do you understand?” levels of dumb.

        “I’ve used up all the vowels! there are only 5! this means the only password left is rhythm

        “no you can use the same vowels just they can’t be in the same place”

        “like I have to do it in my kitchen?”

        “no the same place in the word”

        “so it has to be the same word with different letters?”

        “no, it has to be a different word with different letters”

        “well like I said I already used all the vowels”

      • Confused_Emus@lemmy.world
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        When it expires, bump every character up by one - A/a becomes B/b, 1 becomes 2, for symbols use the next one on the row.

      • MNByChoice@midwest.social
        link
        fedilink
        arrow-up
        16
        arrow-down
        11
        ·
        1 year ago

        That also means they are saving that information. I doubt a single character can be usefully hashed. Seems like a security nightmare.

    • ipkpjersi@lemmy.ml
      link
      fedilink
      arrow-up
      18
      ·
      1 year ago

      Pretty much everyone, which is why NIST no longer recommends automatic password expiry anymore.

    • Nelots@lemm.ee
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      This is what password managers are nice for. I only know like two of my passwords all across the internet.

        • lugal@sopuli.xyz
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Lunar calendars also have 12 months but each is shorter and so the year is shorter. Some have a leap month but that doesn’t help either. Sure, you can iterate thru these names but that doesn’t help you to remember to current one. The idea of using months is that you know in which month you are right now.

  • andyburke@kbin.social
    link
    fedilink
    arrow-up
    68
    ·
    1 year ago

    FWIW: these types of password rules are discouraged by NIST -

    1. Eliminate Periodic Resets

    Many companies ask their users to reset their passwords every few months, thinking that any unauthorized person who obtained a user’s password will soon be locked out. However, frequent password changes can actually make security worse.

    It’s difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).

    So if an attacker already knows a user’s previous password, it won’t be difficult to crack the new one. The NIST guidelines state that periodic password-change requirements should be removed for this reason.

    • CluelessLemmyng@lemmy.sdf.org
      link
      fedilink
      arrow-up
      18
      ·
      1 year ago

      They also recommend implementing 2FA, but not OTP or TOTP as they are now considered not secure enough. Use 2FA that is FIDO2 compliant such as biometrics or fobs like Yubikey.

        • dustyData@lemmy.world
          link
          fedilink
          arrow-up
          19
          ·
          edit-2
          1 year ago

          2FA - Two factor authentication, you get asked a second secret besides your password. Banks used to give users a card with codes that you had to find and input when authenticating with them.

          OTP - one time password, you receive a code over SMS or mail.

          TOTP - Time based one time password, you have to have an authentication app that creates a clock based cryptographic code.

          FIDO2 - fast identity online standard version 2, is a set of ID verification technologies. Usually you’re asked to confirm access on another certified device. Like google asking you to check your phone for a notification when logging into a new browser.

        • BorgDrone@lemmy.one
          link
          fedilink
          arrow-up
          7
          arrow-down
          1
          ·
          edit-2
          1 year ago

          2FA: two factor authentication. So using a password (something you know) in combination with something else, like something you are (biometrics) or something you have (security token, phone with authenticator app)

          OTP: One-time password. A password you can only use once. Can be a list of passwords where you have to use the next one on the list with each login or any other mechanism that provides a unique password for each login.

          TOTP: Time-based one time password. An OTP scheme where the password is derived from a shared secret and the current time. Like Google Authenticator.

          FIDO2: Fast IDentity Online version 2. A standard that lets you use an authentication device to log into online services. This can be in the form of a USB key or something built into your computer (e.g. on a Mac you can use the built-in fingerprint scanner).

      • Polar@lemmy.ca
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        How is a TOTP not secure? It’s a random string that changes every 30 seconds. I mean shit, I am LOOKING at it, and sometimes fail a login because I run out of time.

  • arefx@lemmy.ml
    link
    fedilink
    arrow-up
    16
    ·
    edit-2
    1 year ago

    Spotify won’t let you use a password you’ve used in the past at all so now I don’t even know what my password for it has evolved into and I just reset my password and type something random in every time I need to log in lmao

  • FARTYSHARTBLAST@kbin.social
    link
    fedilink
    arrow-up
    13
    ·
    1 year ago

    Might be you got your password scrambled after a compromised account: It denies attackers the opportunity to use your compromised password.

  • Mothra@mander.xyz
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    Why does this happen though? I always wondered why is it that a platform recognises your old password only when you are trying to change it

    • tillary@sh.itjust.works
      link
      fedilink
      arrow-up
      5
      ·
      edit-2
      1 year ago

      If there were a data breach where a hacker could figure out the encryption algorithm, you don’t want users to reuse an older password because those older passwords could’ve already been cracked.

      By the way, this is why you should also never use the same password for every site. If one of your passwords is leaked and linked to a similar username or email, everything is vulnerable. I’ve had this happen before (the Target breach). After that I started using SSO exclusively, with a random 16 char password manager if SSO isn’t an option (crossing my fingers that bitwarden doesn’t get hacked like LastPass)

      • Mothra@mander.xyz
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        I understand when you are prompted to change, but not when you aren’t. As I mentioned in another comment I remember Epic basically trolling me into resetting my password almost daily at some point

        • tillary@sh.itjust.works
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          1 year ago

          There could be many reasons they don’t prompt you to change: they meant to send an email but your notification preferences disallowed it, they sent an email and you missed it, they wanted to keep it quiet, they forgot to add the message and ux flow to change password, or they’re incompetent and didn’t know they needed to do that.

          The Epic thing I’ve never seen before but that’s definitely incompetence and/or a very weird bug that just slipped past them.

    • BirdyBoogleBop@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Because it runs the hash again on the new password against the old one, if it matches the old one you are told to change it as you used the old password again.

      • Mothra@mander.xyz
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        Yes yes but I don’t mean when I’m told to change one. I mean when I’m trying to login as usual, password doesn’t work, so I change it. Just to test of the password I was using was wrong, that’s what I use first- and it’s rejected.

        I remember Epic would do this on a DAILY basis at some point last year. It was so irritating. “Ah yes the brand new password from yesterday that worked yesterday but that we didn’t recognise on the login page today? Well we do recognise here on the reset, jokes on you!”

  • majestictechie@lemmy.fosshost.com
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    4
    ·
    1 year ago

    I always find these types of posts frustrating. Apart from your desktop password, a password manager solves a lot of these issues. Just make the password manager super secure, use 2fa and then auto generate all other passwords.

    • BolexForSoup@kbin.social
      link
      fedilink
      arrow-up
      10
      arrow-down
      1
      ·
      1 year ago

      just make the password manager super secure

      Remember when everyone said LastPass was that manager?

    • Mbourgon everywhere@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Can’t use it when logging into the laptop. And parts of the network have to be typed in - it detects and rejects pasting (haven’t built out an autohotkey to see if that would work)

      • sloppy_diffuser@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I use a memorized passphrase with a random string stored on a mooltipass or onlykey. I use both interchangeably for vendor diversity.

        They are both pin protected and act as USB keyboards (how I use them). They have more features like FIDO2 (both), WebAuthN (moolti), Bluetooth (moolti), etc.

        I only store my computer decryption and account password plus my bitwarden password on them (random part for use with memorized passphrase). After that I just use bitwarden once I’m logged in.

        • Mbourgon everywhere@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          You have rocked my world. That’s freaking fantastic, both of them. I gotta get one of those. Thank you! Is there one that you prefer to the other?

          • sloppy_diffuser@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            I was a happy OnlyKey customer until I wanted some spares a couple months ago and they were out of stock. That’s when I got a Mooltipass. The OnlyKeys are back in stock this month so I did get some more as backups.

            OnlyKey is lower tech which I honestly think makes it more reliable. It also supports a longer pin.

            Mooltipass input is the scroll wheel which you push to click. Pin is only 4 digits but supports all hex characters where OnlyKey is only 1-6.

            Passwords are stored on device with the OnlyKey. With the Mooltipass its on a card you can swap out, clone, etc.

            OnlyKey is powered through USB. Mooltipass has a battery. Battery needs to be cycled often so I use it as my daily driver for that reason. I’d probably use the OnlyKey if it were not for that. I feel it is faster for my workflow since I can pick 1 of 12 passwords in one short or long press on the device. Mooltipass I have to go through a couple menus and confirmations.

            I can see the attraction to the additional features of the Mooltipass but I just don’t use them (at least yet).

            Either are great though. The extra input requirements of the Mooltipass are not that bothersome.

              • sloppy_diffuser@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Great to hear! They are awesome for system access before a password manager is available.

                Looking to play with the fido2 function soon to unlock luks encrypted partitions for my headless media server after a power outage.