🚛 sam fox starshine  
passwords when you don’t enforce changing them every 2 months: Viy$Ehi8sy3&2WQ
passwords when you enforce changing them regularly: password01!? password02!? password03!? password04!? password05!?
Nov 2, 2023 at 12:29pmWeb
Show thread Why Not Zoidberg? 🦑Nov 2, 2023
@starshine see also "Yellow PostIt"
Show threadCaroline Bell Nov 2, 2023
@starshine Shhhh nobody has to know. The hash completely reshuffles no matter what you change!
Show threadKevin Karhan Nov 3, 2023
@halotroop2288 @starshine IF passwords are even changed and not using weak trash like #NTLM...
Show threadCaroline Bell Nov 3, 2023
@kkarhan What's an IF password? What's NTLM?
Show threadKevin Karhan Nov 3, 2023

@halotroop2288 "IF" meant as in if.

#NTLM is a weak hash function used by #Microsoft #Windows which is trivial to crack, as even almost two decades ago sites like #CloudCracker offered to brute-force it for U$D100...

#MandatoryPasswordChangePolicies are like #DaylightSavingsTime:
- Proven to be harmful
- Proven to be counterproductive
- Don't add any value
- Demand addition unpaid labour
- Are unpopular
- Don't do anything beneficial for anyone

Show threadCaroline Bell Nov 3, 2023
@kkarhan Bro stop hashtagging everything. Seriously.
Show threadKevin Karhan Nov 3, 2023

@halotroop2288 Will do so when full-text search actually works. ^^

No seriously, If #FullTextSearch were to actually work then noone would've needed to use Hashtags anyway...

Show threadCaroline Bell Nov 3, 2023
@kkarhan #Hashtagging random things doesn't help anyone. You only need to tag the actual topics of the post. And only once per conversation at that.
Show threadKevin Karhan Nov 3, 2023
@halotroop2288 noted.
Show threadnaeNov 2, 2023
@starshine which one has more entropy
Show threadTalya (she/her) 🏳️‍⚧️✡️Nov 2, 2023
@starshine
the *shortest* time period for password expiry on a system I managed was 12 months.
Show threadC-27733Nov 3, 2023
@starshine I was once given a one time use password on a piece of paper that didn't pass safety suggestions of the system
Show threadTryst 🏴󠁧󠁢󠁷󠁬󠁳󠁿 🇮🇪  Nov 3, 2023
@starshine Not expiring passwords was a hard-fought battle at my work, but absolutely worth it
Show threadRivaclaw🏳️‍⚧️ΘΔNov 3, 2023
@starshine @tryst
Show threadNodamiNov 3, 2023
@starshine 😱🤣
Show threadVil until I at 39C3 [☎️59866]Nov 3, 2023
@starshine yes. Even NIST changed their recommendations about this (or was it some other agency)
Show threadspheruliticNov 4, 2023
@wilmhit @starshine yeah latest NIST 800-63B section 5.1.1.2
Show threadBram Diederik aka daft_dutchNov 3, 2023
@starshine I'm on a island trip with my monthly changing password.
Show threadPatrick GerkenNov 3, 2023
@starshine I can see you are not a pro yet at rotating passwords. After a while you start to forget the running number so that you realize that it should be a naturally incrementing (Date) factor. Like somebody else mentioned, Q1, Q2... better yet together with the year to protect against do not use any of your last 10 used passwords.
Show threadVladimir SavićNov 3, 2023
@starshine True.
Show threadlocalhost TCP/UDPNov 3, 2023
@starshine well... it mean passphrases is vulnerable?
Show threadgunstickNov 3, 2023
@starshine my never expiring password
FootballTactfulPlaymateHatching
curtesy of https://diceware.dmuth.org/
Diceware: Generate Secure Passwords You Can Actually Remember!

Tired of forgetting passwords? We got you covered! All passwords consist of real words, chosen at random.

Show threadBruce PrestonNov 3, 2023

@starshine Upper + lower + number + punctuation + length 12? Hmm, "Fri-03-Nov-2023" fits that and now I don't need a password manager, just a calendar...

..is a thought I've had.

Show threadC.Suthorn Nov 3, 2023

@starshine

No, no, no.

It is of course:
password!&01
password!&02
password!&03
password!&04

only ever change the last letters, never letters, where you have to navigate to.

Show threadschackNov 3, 2023
@starshine I’ve tried to get the IT department at my university understand this. They even enforce a maximum length of 8 characters. #stupidrules
Show threadCaptain of the SS El FaroNov 3, 2023
@starshine shit, shit, shit - now I gotta change my password to Password06!?
Show threadHaliNov 3, 2023
@starshine no lie detected here. My passwords reset every 3 months. They're all the same and I just change the number at the end, then the number in the middle.
Show threadMicroBlog CastellanoNov 3, 2023
@starshine well, you could use something like
1-Si++in1nth3
2-D*ck0fth3
3-B4yW4t(h1n
4-Th3T1d3r0l!
...
Until you waste a song, then start with another...
Show threadMeowcity.club's domain got revokedNov 3, 2023
@[email protected] Can confirm; validating that a password is secure and hasn't been compromised on a regular basis is more secure than constantly changing it
Show threadSieva 🚴🚇🏙️🌹Nov 3, 2023
@starshine This is exactly how it works! Thank you.
Show threadJarkko SakkinenNov 3, 2023
@starshine password at any frequency pwgen -y 12 1
Show threadEmil Jacobs - CollectifissionNov 3, 2023
@starshine Painfully accurate.
Show threadAlerta! Alerta!Nov 3, 2023

@starshine There's a reason NIST says that regular password changes should be avoided.

But what does NIST know... 😂🙈

Show threadSasha Göbbels 🐿️Nov 3, 2023

@starshine Reply guys going out of their way to discuss how your observation (which is true) is not a problem with their choice of Zod's own password manager.

I wonder how they use their god given tools on the login screen of their operating system 🤭

No, wait! I don't want to provoke more replyguyism 😬

Show thread🍸Pooka🥕Boo🍸Nov 3, 2023
@starshine Spot on1, 2, 3...
Show threadEmi  Nov 3, 2023
@[email protected] passwords in a workspace where “what is your preferred password manager and is it self hosted” is a pivotal interview question: #65*B9dXdSay5$zn #6i34SzLoZJdT&Fz Flavorful-Capillary-County-Squint-Translate-Resubmit-Underpass-Apache-Smartly8-Kinfolk-Crunching-Lifting
Show threadZpqrtBnkNov 3, 2023
@starshine @h_thoreson oooh yes. Password that does not need to change and can be anything will be a random long string in a password manager. Password for my bank that insists on using a numeric keypad but does not require frequent updates is 671965. For my other bank that wants me to change… 123123 then 765765 then 345345…
Show threadGNU/Matt  Nov 3, 2023

@starshine we have "cyber insurance" that makes us make our users change their passwords every 45 days.

We've told them that we don't want to do that, for this very reason and they told the business manager it would effect the premium.

Show threadKristoff (ON1ARF)Nov 3, 2023
@starshine just use a hardware passkey!
Show threadMarián KyralNov 4, 2023
@starshine With password manager I'm using the first type on systems with regular password change requests as well.
Show threadNiclas HedhmanNov 4, 2023

@starshine

So true!
And frequency of change doesn't really matter...

Show threadBasilNov 4, 2023

@starshine my first ever malicious compliance at work was at a company that had the following password policy codified in its official procedures:

Your password must meet complexity and length requirements X, Y, and Z.
You must change your password each month.
You must not use a form of incremental passwords.
You must not write your password down or in any way store it.

Show threadBasilNov 4, 2023

@starshine We were a small company so the person responsible for the policy was the sole IT employee and he was adamant that it was a good policy.

Each morning, without fail, I would call him up and have him reset my password because I'd forgotten it.

It became quite a battle of stubbornness.

Show threadWendy MsGator 🐊Nov 12, 2023

@starshine

I saw that so many times when I was working. Colleagues would use a single word then add two digits for the current month of usage. And even then, there'd be a post-it note somewhere close by. Or the last page of the work diary was another favourite place.

Show threadNIST Standard Reference BoyNov 12, 2023
@starshine I'm literally using the same words with a different letter capitalized every time work makes me change my password 😆
Show threadBryan LutraNov 12, 2023
@starshine my work wants my password changed every 3 months and no repeats, I've worked there 4 years, I've resorted to this strategy now =w= I really gotta get a reliable password manager
Show threadenchantedsleeper 🌈⭐Nov 12, 2023

@starshine based password behaviour is rotating through a different anime every time you have to change

...That was at my old work, though; at my current one I just change one number at the end

Show threadFabio RomeoNov 12, 2023
@starshine @cstross I HATE with passion this “you must change your password every month” bullshit. 2FA is on, stop with this nonsense!
Show thread *Aya Freya ⋆.˚🦦⋆ - NeptuwuniumNov 13, 2023
@[email protected] password1 password12 password123 ...
Show threadBilly Bragg's Liquid AminosNov 13, 2023
@starshine QFMFT
Show threadlampsofgoldNov 13, 2023

@starshine @somcak this is so real, NIST even recommends against it

https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

NIST Special Publication 800-63B

NIST Special Publication 800-63B

Show thread[evil] witch lexi Nov 13, 2023
@[email protected] what they need is to provide yubikeys or some other 2fa. my work does this same thing and it's not very good at the 2fa part
Show threadGrumpy Grimnir Nov 13, 2023

@starshine I'm not sure how many people choose to use the first kind of password. That's why encouraging passwords like "Horse+Battery+Staple" is a good idea.

Enforcing frequent password changes is widely regarded as a dumb idea. Except for dumb auditors.

Show threadMaxtimotNov 13, 2023
@starshine and then you have banks who does that but with numbers only 
Show threadploumNov 13, 2023

@starshine @mariejulien :

Il y’a 16 ans, j’écrivais
https://ploum.net/177-le-gilet-de-sauvetage-et-le-tgv/index.html

(pitin, je suis vieux)

Le gilet de sauvetage et le TGV

Le gilet de sauvetage et le TGV par Ploum - Lionel Dricot.

Show threadMartijn van DijkNov 15, 2023
@starshine Usually I end up appending exclamation marks to the password. password123!
password123!!
password123!!!
password123!!!! etc.