@megmac

90 days later: password6

@megmac Thanks to reverse-chronological scroll, I saw these posts before I saw the first one, and my immediate thought was: someone had to top up their arc card.

It's just so beyond absurd to use 3-month password expiry on a site people are only going to use a few times a year.

@megmac There are some systems where I have passswords like that, and password6, password7, etc.

Systems I can consistently use my own computers/phone to access and have the password saved, I don't, but there are systems I do that with. Only so many silly phrases I can keep in mind at any given time.

@megmac
Correction; password$6

Need a non-alpha-numeric character.🙂

@megmac I once (2010-2016) worked at a BigCorp that had the 90 days rule, so when I left I had the equivalent of password%25, and yet after each vacation I needed to request a password reset from Admin, since I couldn't recall if it was 12, 13, 14 or around there (only got 3 tries).

I am surprised that IETF hasn't worked out a personal web way of having SSH keys instead, could be fairly hidden to average users. Sounds like a no-brainer to me.

@megmac I work for a large corporation and we have 90 day forced rotation, however we don't get to choose our passwords. We have to pick from a generated list so there is no password reuse and no simple passwords.

I'm convinced we do this because we have very old systems that have length limitations so even the generated passwords don't have much entropy.

@pfriedma @megmac All it does is encourage password incrementing.

If you were going to try to hack someone't employee password anywhere, a good piece of information would be how long they have been there, because you can probably multiply the number of years by 4 and get close to whatever number they have in their password.