fsebugoutzone.org:9999

       Post AKImvJD9m3ZyIX7KAi by CodingOtaku@fosstodon.org
 (DIR) More posts by CodingOtaku@fosstodon.org
 (DIR) Post #AKI41AjfheaToNkP6e by kev@fosstodon.org
       2022-06-08T20:54:33Z
       
       0 likes, 0 repeats
       
       Some thoughts on forced #password changes.https://kevq.uk/why-forced-password-changes-reduce-security/
       
 (DIR) Post #AKI541QYrpVblWjQ4e by Wivik@fosstodon.org
       2022-06-08T21:06:18Z
       
       0 likes, 0 repeats
       
       @kev You forgot something in your demonstration regarding the security reducing problem : forcing users to change too often a password and having a too complex policy increase the risk to have them ... Written it on a post-it, attached to the screen, a paper, a txt file on the desktop, mail it to a colleague &quot;just in case of..&quot;, and so on... Fun fact : I like to take a look at the post-it stuck to a screen in a shop or an office and check if it&#39;s a password. Half a time, it is. 🤦‍♂️
       
 (DIR) Post #AKI5YPsMX7BeHKEDyK by Wivik@fosstodon.org
       2022-06-08T21:11:23Z
       
       0 likes, 0 repeats
       
       @kev Second fun fact from experience : the basic password construction is Nameofthecompany{MonthOrYear}! (ex : Somecompany04!)
       
 (DIR) Post #AKI5YQRSQdGA2AeFfs by joel@benign.town
       2022-06-08T21:11:48Z
       
       0 likes, 0 repeats
       
       @Wivik *gets hacked*
       
 (DIR) Post #AKI6QymexhkEBIZwGG by Wivik@fosstodon.org
       2022-06-08T21:21:39Z
       
       0 likes, 0 repeats
       
       @joel You see, starting your career in the IT helpdesk is a good way to discover the worst practices in one week 🤣 On my side, I like to test the limits on the passwords fields thanks to KeepassXC generator.  And saying a &quot;oh sorry, I thought it was 2022&quot; when you have &quot;password cannot be more than 10 chars&quot; in return.
       
 (DIR) Post #AKI7dMqhPjLUFNwHrc by joel@benign.town
       2022-06-08T21:35:07Z
       
       0 likes, 0 repeats
       
       @Wivik my university&#39;s student&#39;s access platform has a 10 character limit and only runs on http. I kinda want someone to hack it, set everyone&#39;s scores to10 and then setup https for free since they just refuse to do it themselves
       
 (DIR) Post #AKI80axZ7IScfgE6UK by Wivik@fosstodon.org
       2022-06-08T21:39:18Z
       
       0 likes, 0 repeats
       
       @joel 😱 And I thought the identity manager with an old expired self-signed certificate at a former client was the worst thing I&#39;ve seen.
       
 (DIR) Post #AKI9rOreuv7wScCtVY by TomLarrow@mastodon.social
       2022-06-08T22:00:01Z
       
       0 likes, 0 repeats
       
       @kev I once stayed at company exactly long enough to go from password &quot;$ometh1ng1&quot; through &quot;$ometh1ng9&quot; and then &quot;$ometh1ng0&quot;I liked to joke that the reason I was leaving was because I was out of possible password combinations
       
 (DIR) Post #AKICgMULi6AnlijSFs by renatoram@fosstodon.org
       2022-06-08T22:31:40Z
       
       0 likes, 0 repeats
       
       @kev there are several published studies at this point (including one from the US Navy&#39;s infosec IIRC) proving scientifically that regular forced password changes lead exactly to the behavior you describe (decent password with numeric part increasing each iteration, thus completely defeating the only value of forced change).But corporate IT doesn&#39;t care
       
 (DIR) Post #AKIY3crj5KTKG7bKC0 by huy_ngo@fosstodon.org
       2022-06-09T02:31:10Z
       
       0 likes, 0 repeats
       
       @kev fwiw you can also use passphrase by pre-/appending numbers and symbols
       
 (DIR) Post #AKIYsNlqxyfODE3ZS4 by gnuplusmatt@fosstodon.org
       2022-06-09T02:40:20Z
       
       0 likes, 1 repeats
       
       @kev our insurance company makes us force our staff to change passwords every 45 days. We&#39;re an educational institution. It just makes staff increment the number on the end of their dogs name. So secure :blobcataww:
       
 (DIR) Post #AKIiJfZTnASmpFM5Ca by adamsdesk@mastodon.technology
       2022-06-09T04:26:07Z
       
       0 likes, 0 repeats
       
       @kev I entirely agree and their is research to prove it. I find it sad that this practice of changing passwords on a set interval still exists today.
       
 (DIR) Post #AKImOJl6iX2URLGY2C by xarvos@nixnet.social
       2022-06-09T05:11:48.775286Z
       
       0 likes, 0 repeats
       
       @gnuplusmatt @kev wow that must be super secure. the security breaker would never guess which iteration it is :blobcatwink:
       
 (DIR) Post #AKImvJD9m3ZyIX7KAi by CodingOtaku@fosstodon.org
       2022-06-09T05:17:44Z
       
       0 likes, 0 repeats
       
       @kev even Microsoft agreeshttps://docs.microsoft.com/en-gb/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903Scroll down to &quot;Dropping the password expiration policies.**&quot;
       
 (DIR) Post #AKIyiMJ09oZna1RUTA by raretrack@fosstodon.org
       2022-06-09T07:29:51Z
       
       0 likes, 0 repeats
       
       @kev Haha, this is exactly the policy of the company I left recently. 40,000 employees and all of us forced regularly to do this for no good reason! And yes, I did iterate, like almost everybody else 😀
       
 (DIR) Post #AKJTaJPi7dbqsEDvG4 by pyre35@fosstodon.org
       2022-06-09T13:15:46Z
       
       0 likes, 0 repeats
       
       @kev What about longer requirements, like once a year? And can someone answer this - I was under the impression that if you use something like diceware, it really doesn&#39;t matter if a dictionary attack is deployed, as it would still *currently take way too long for a computer to guess.
       
 (DIR) Post #AKnUHMdwXDxcd7tZZY by fury@indieweb.social
       2022-06-24T00:44:52Z
       
       0 likes, 0 repeats
       
       @kev I wish i can read this article 10 years earlier...I do this the old-school way, writing it down on paper. The most secure way i can think of. You might not need a PW manager...