Sid Nov 24, 2022
Does anyone else despise mandatory password expirations as an #infosec security practice? Key rotations are good. Password expirations are terrible and encourage users to make and reuse terrible passwords, making small modifications to them to cheat the system. How is this so commonplace?
Show threadJerry ๐Ÿฆ™๐Ÿ’๐Ÿฆ™Nov 24, 2022
@sidd thanks for an idea about a blog post. In general, I agree, but as someone responsible for defending a large organization, there is a practical benefit to even people incrementing a number at the end of their password every 90 days
Show threadAlex Nedelcu  Nov 24, 2022

@jerry

The policy makes sense only because people are setting simple passwords. However, the systems I've seen also limit password length, which effectively encourages people to pick simple passwords suffixed by 1 or 2 digits.

Making people change their password is a bad practice from a different age, IMO. Such orgs these days are only safe due to proliferation of 2FA, IMO.

@sidd

Show threadSid 
@alexandru @jerry YESSSS I HAVE NEVER UNDERSTOOD THIS. I get minimum lengths, why on god's green earth would you ever add a MAXIMUM length limit?? ๐Ÿ’ข
Nov 24, 2022 at 6:19pmWeb
Show threadSkyper ๐Ÿ’ป๐ŸŽงโ˜•๐Ÿ“–Nov 24, 2022
@sidd @alexandru @jerry It makes sense when passwords are stored in plaintext ๐Ÿ™ƒ๐Ÿ™ˆ
Show threadSid Nov 24, 2022
@Skyper Why did you have to make me think about that