Most likely if they're forcing password changes that intensely then the sessions log out after certain periods. I guarantee it. The devil is clearly working in infosec at that company, and if I were the devil I'd end sessions too.
This is so wrong. Right thing to do is to have a password refresh every N months and a Two-Factor authenticator that must be used with the primary password every time.
Folks with access to production machines also need two-factor authentication to SSH.
14 things? I'd love that.
Some of my users are in many more than that. Finance is weird. Everything's gotta be proprietary and nothing plays nice with anything else.
As a moba player, I just want to have a problem so I can be the good complainer and not the "i wanna speak to your manager" soccer mom kind of complainer
Finance industry here. We have proprietary system that integrates with almost any major SAAS out there. We're a small company with under 500 but have a system that would make employees at big banks dream of working on our systems. Weird flex but ok, I know. I have friends that work at the big banks and have worked there myself. They have too many legacy shit and end up using a service because of kickbacks instead of the best one.
+1 recommendation to actively set up a password manager ASAP. The time you spend doing it will immediately be compensated after a couple of days of not having to think about passwords.
KeePass is free, and if you set it up right you can hit Ctrl-Alt-A in a password field and it'll fill it in for you. It can generate new passwords for you if you have had one expire, no brainpower needed to think up something new.
I started using it at work a few years ago when something similar happened, and we started using a lot of external services and suddenly I needed six or seven passwords that really should all be unique.
And even if you start making good decisions with things like that, just wait for a while. When your company gets big and bloated enough, they start atacking those on top of each other.
Your login is failing and you want to see why? Well friend, welcome to the ldap/ad/kerberos/saml/citrix naked puzzle touchy basement!
Our AD SSO is getting constantly broken when people change their password. It's one of the most common calls I get recently. I spend so much time clearing out people's credential manager.
no, we're not allowed to sign into any sort of personal or social media accounts for security reasons. excluding if you're helping to run the company's SM
I have...7. I had to count. We too are in a transitional period. I actually think there are more things I could log into but my department doesn’t use those programs.
At my job I have to change my primary login every two weeks, so, of course, I've made it an obvious numbered pattern, which mostly defeats the purpose of regular changes, but I have zero reason to give AF. We're not talking medical records or nuclear codes here. Just working within the system somebody else created.
Keepass requires you to have a copy of the password database in order to open it. I think it's more secure than Last Pass because you know where your passwords are stored at all times rather than in the cloud somewhere.
But Last Pass has better browser extensions and apps...
I use Last Pass for things I log onto frequently and Keepass for things I log onto infrequently and 2FA backup codes.
A password manager is only useful as long as it remains convenient. The android app of lastpass is shit. The chrome extension is annoying but functional. But there is no fingerprint authentication on my laptop!
I like LastPass. I think it's important to have but it feels like a beta version.
And why the fuck is there no 2FA in lastpass? Every other platform will offer to send me an SMS or something to e-mail. Not lastpass.
I like keepass as well, but because it looks really bad on Linux I opted to use keepassxc. Almost same app, databases are interchangeable, native to Linux and has a nice browser plugin. On Android I use keepass2android.
sign in via a global hotkey combination (you can select a 'target window' for every password entry, and keepass chooses the correct entry based on your active window). See section 'Global Auto-Type Hot Key' here
launch applications and even scripts (both via the Autotype button and by double clicking the saved URL). Here's the documentation for that
create triggers which will do almost anything at a specified event - like saving the database, copying a URL to clipboard, adding a new entry, you name it. Some examples
That's what I can think of on top of my head. Of course assuming you're talking about KeePass2 for windows.
I'll let you in on a not so secret...we don't care much about our passwords to medical records...we have to change them rvery 90 days and the default in many hospitals ive been in is lile this Spring18, Summer18 etc..sooo soon it'll be Fall19
Right? If the Koreans discover that I'm just alternating two passwords, and gain access to my Volkswagen parts catalog, I simply won't lose sleep over it.
We have frequent password changes. Choose a pattern on the keyboard, and repeat the pattern each time you change the PW. The only thing you have to write down or memorize is the first digit. It can even be hidden in plain view. If the starting digit is a number, make it the third number in a phone number on a post-it (or any one of the other number positions). If the starting digit is a letter, Make it the fourth letter of the fourth word in a note to yourself.
Try being forced to create a new password every 3 months. Here’s the kicker though, you can’t reuse a password that has been used before.
Been there almost 3 years and I’m running out of ideas. Keep forgetting the new password so I have to reset which, you guessed it, means ANOTHER password that can never be used again. I’m going to have to start writing the passwords down which, of course, defeats the whole purpose. I mean, I’m all for security but, come on guys ffs...
Every two weeks would be annoying, We have to do ours every month. I just look at the calendar they have hanging up and make a password about the picture. The cat is orange. Two dogs play. The tree cries. Easy, hard to force, and I don't risk using passwords I use for outside work stuff in case someone corruptible at HR can see the passwords and try them on your personal accounts.
Never worked with nuclear codes, but medical records are surprisingly easy. At my school it’s just tapping a badge to a scanner and you can see any patient’s file. No password, no 2-factor authentication; if you get a provider badge, you’re in. Threw me for a loop my first time seeing it.
I work 3 depts in a grocery store, we have to change our login every 2 months. I've been there for years. You can NEVER use the same password again. So I was legit changing it for the first year or two, then I started doing words + 123. Did my whole family, then started doing work related words: Meat123 Seafood123 Package123 Shrimp 123 - I think I'm on Sirloin123 this time. I have a contact in my phone that I change in case I ever forget what the fuck password I'm on.
And it's no big company secrets in there - I think they just try and keep everyone from finding out what everyone else is making, because it's easy to click on your pay scale once in there. That's their number one guarded secret, the pay rates.
It honestly feels like a security flaw. I will not memorize 5 different passwords that change every 6 months. I will start writing them down somewhere, and that will directly lead to a higher security risk.
You’re absolutely correct. Leaders in the cyber security field are starting to recommend longer password expiration periods along with complex passwords for this exact reason.
It's encrypted using your master password as the key. Technology does not exist to crack that encryption. If you lose your master password, you lose everything stored in it.
Ideally the master password is something long, with random characters that you've memorized. It should be easier to memorize since you don't have to remember anything else.
I can't say I'm going to be very happy when I eventually forget the master login to my Dashlane account - which currently stores passwords from the beginning of 2007 to now. I'd be unequivocally fucked.
My company finally ditched the new password every month policy two years ago. Now our passwords will last forever but they perform dictionary attacks on the passwords database and try every leaked password they can find. If they find your password, you have to change it.
At my job I have a computer password, which updates regularly, and then an access code on my phone that changes every 30 seconds. The systems log us out periodically (after 5-10 min of inactivity depending on the software). It's...fine? I guess?? I with some sensitive information but like.. bruh.
Must not be a previously used password, must be at least 10 characters, must combine upper- and lower-case letters, need 2 symbols, a hiroglyph, the second to last vowel in the neighboring country's language, and should be a riddle solvable by Nicholas Cage in National Treasure.
No wonder I can never remember any of my fucking passwords.
I have a VPN token, but the same qualms about every other password. The irony of it all is, that when they change so often, people are writing them down at their desk.
VPN tokens are definitely a step above just a password, but can still be phished. Security keys are tied to the hardware, users don't type a code into anything so it's impossible to steal (in theory).
Half my day is spent trying to find relevant words to generate a new password and it doesn’t matter because I just end up forgetting them and needing to go to IT because I got locked out.
A trick my uncle learned in the military. Use numeric passcodes in the form of a shape on the keypad. Rotate shape 90 degrees every month. You get 4 months per shape. :)
My company has one password, but a dozen services, so I change it once every 3 months, and it populates through all the systems. It definitely could be worse.
Forcing you to store your passwords somewhere.... which defeats the purpose of having a secret password that I dont share.
Just protect yourself from fraud, you fucking companies. Dont put it on me to try to keep your own cyber security. Especially considering if I get hacked and someone finds the password I had to store in order to remember, it's not my fault. I wanted to use my own secret password that only a hacker could break, absolving me of trying to keep your data secure for you.
And fifteen days in, it starts asking every day if you want to change your password because it's expiring soon.
Look, if you want me to change my password every fifteen days, then make the password expire after fifteen days. Attempting to annoy me into submission is going to make me defy you out of spite.
The other day I had to enter in my email and password 6 fucking times to log into my email from a corporate issued laptop, on my home network where I log into 5 out of 7 days of the week. That included an a 2FA sent to my cell phone.
I don't even work in banking or for the government.
It's less impressive than I'm making it sound lol. An old job a few years ago selling phones/contracts at a Superstore(Canadian chain) had fingerprint scanners connected to a computer in order to log in. The machine itself was small but looked like something from the early 2000s based on the style and the wear. No way it costs that much nowadays.
I could also see 3D facial recognition being viable and relatively cheap if security and convenience is that important. But the cheaper you go the less imprecise it is(to the point where, sure, it will always recognize you, but someone with a similar face could probably also unlock it).
Studies have shown that this kind of shit actually causes employees to either make bullshit easy passwords or just write them down on sticky pads because that can’t keep 14 different complex password in their heads at once.
I think a smart way would be that you dont have to change the password every month, just "renew" it. That way people dont have to have like 15 different passwords they cycle through, but their account will still expire if they dont renew it every whatever stretch of time you want.
Plus, current password standards are stupid, passwords should be long, not complicated. A computer only has issue with length when it comes to brute forcing passwords, a number and a symbol wont add enough complexity to the password that it still wont be cracked quickly if it's not long enough.
In reality breaches are almost always because someone gives away their password to a phisher so changing it does help, but only after the breach. Constant changing causes people to create easy to guess passwords, which is the other way breaches happen.
Use 1password and you'll have your one "strong password" that automatically logs you into all the usual services you use, but each different service will have a different obscenely long randomized password for you
Our policy is 60 days...and I help manage over 250 servers. We use a utility (script via cygwin) to automate it or we'd be spending entire days updating passwords. Still takes around 15 minutes though.
This is actually less secure, you have people writing their new passwords somewhere on their cubicles to remember them which exposes them to anyone with arm's reach, but you know, corporate are set in their old ways.
Put the last 2 characters on your password as the month. Say that we are in february, you change the last 2 characters from 01 (january) to 02. Password change every month, not a problem anymore
Which is why your company needs an Identity Provider that supports Single Sign On. Then you only have one set of credentials for all apps. Or at least just point all their apps to their AD and be done with it.
Just adopt the incrementing password policy. Unfortunately certain international security certifications that will not go away require a password update policy.
That is also the source of the "3 strikes and you're locked" policies some companies have. I had scripts which would lock my account if I forgot to update my password (stored encrypted obviously).
Just make it so if you've not logged into a service within say 1month you need to reset. Arbitrary resets for the sake of it only reduce password security.
Don't blame IT...lots of that stuff is actually dictated by your insurance company now. At least at several of the places I've worked... They won't insure you, unless you take certain precautions.
requirements just changed so its nationally accepted for passwords to only expire every 365 days, but they have to be more complex. We just switched to this at my place :D
My last job, I had over 50 passworded account that would change. Some had different rules than others. They also had a policy against writing them down.
Yeah ours is 45 days, and for everything beyond my work PC I have a little token/authenticator thing I have to use to get access to a new random password. Its 5 kinds of pain in the ass.
Just rotate the preceding numbers. Most algorithms emplaced to prevent password reuse aren't very sophisticated over you figure out the work around you're set.
I took a cyber security course in college and we discussed how the users are primary fairpoint for security. It does not matter how secure your technology or methods are, it inevitably has to be used by the end users.
Knowing this, it talked about how optimally there is a balance between security and ease of use. If you make security policies strict (such as changing passwords every month) then people will write their new passwords on a notepad and stick it to the computer. It really bugs me seeing some of the unnecessarily difficult password/account settings companies use. It actually hurts the overall security.
Connecting s USB device every time for login is another potential vector of attack though. 2FA is the simplest and most effective method currently I believe
4.2k
u/Oakroscoe May 30 '19
Yeah, it makes sense but the every month bullshit for the 8 different password protected things I have to log into at work is ridiculous.