Tinker ☀️Sep 23, 2023

This is your #infosec Public Service Announcement: Today is the first day of Fall (in the upper hemisphere).

All users should now rotate their passwords to:

  • Fall2023
  • Fall2023! (If they're secure.)

If they are fancy, they can rotate their passwords to:

  • Autumn2023
  • Autumn2023! (If they're secure.)

Note, users should change their passwords to their local language, eg:

  • Autunno2023
  • Autunno2023! (Se sono sicuri.)
  • Осень2023
  • Осень2023! (Если они в безопасности.)

Further Note, if users are in the southern hemisphere, please use the corresponding terms for Spring.

#CyberSecurityAwarenessMonth #CyberSecurityAwareness

Show threadNeil Carpenter Sep 23, 2023

@tinker One of the last major incidents that I worked on happened because, when a user in the org called helpdesk for a password reset, the helpdesk set the password to season+year (Spring2023, Summer2023, etc) and did not tick "User must change password on next logon". The attackers (we attributed it to an Iranian group) were able to get to >100 users who had never changed their password after a reset.

#PasswordFail #IncidentResponse #NationalCyberSecurityAwarenessMonth

Show threadSami Juvonen
@neilcar @tinker 😳🤦‍♂️
Reminds me of the time I learned that most people in the finance dept I supported had passwords in the form qNofYYYY, that they dutifully rotated every 90 days.
Sep 23, 2023 at 6:43pmWeb