Mastodawn

Martin Fowler Dec 7, 2022

Me /tries to do a quick something
site: enter your password
Me: fine
site: enter your one-time code
Me: already? but fine
site: your password will expire in 6 days. Change it now
Me: 🤬

Show thread

Martin Fowler Dec 7, 2022

And just to make it clear. "Regular password changing harms rather than improves security."

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry

Password policy: updating your approach

Advice for system owners responsible for determining password policies and identity management within their organisations.

Show thread

Jessica

@mfowler Thankfully not me, but I know someone who works at a company where the policy is to force employees to change work related passwords every three days.

Every three days.

It's not even a company working with sensitive information or handling secure documents. They work in the building trade 🤷‍♀️

Show thread

Hazardius 🡗🡗🡗 🏳️‍🌈🏳️‍⚧️Dec 8, 2022

@Jessica @mfowler Now I wonder. Is it: Monday and Thursday, or rotating based on every 3 >work< days? It feels excessive regardless, unless they work on some govt/military buildings.

I think it rotates every three working days, but I'll have to ask him.

And as far as I am aware, no government or military buildings. They focus on private businesses or homes.

I just wonder if there was a breach at some point and the security administrators are now hypervigilant 🤔 Because that's the only thing that remotely makes sense, though I still think it is overly excessive.

Show thread

Eurosaboteur 〓〓 🇪🇺 #FBPE Dec 11, 2022

@Jessica @mfowler I work in tech and handle sensitive medical data. We change ours once every six months and are thinking about moving to annual. We still use the stupid symbol rule though. Longer human remomorable password phrases are far safer than short alphanumeric and symbolic trash that will inevitably be stuck into a browers auto-remember pile, totally defeating the point.