My workplace has this common braindead policy where we have to change our passwords every 3 months. So every time I change it, Microsoft page asks me, “HOW WAS IT?”
Unless you are REAL stupid levels of lucky to have one of the mandatory password changes the day after a compromise that you werent aware of, all mandatory regular password changes do is make people use less secure passwords.
Technically it reduces the window for a successful brute force.
That said, it comes with serious drawbacks. Mainly making them impossible to memorize, so then users end up just writing them on post-its and putting them on their monitor. Or other equally dumb things.
Once upon a time it was a recommended best practice both by NIST and Microsoft if I recall. Both deprecated that practice years ago but most a lot of institutional inertia keeps it going, plus industry standards based on that time that don’t update as often perpetuate the problem.
My workplace has this common braindead policy where we have to change our passwords every 3 months. So every time I change it, Microsoft page asks me, “HOW WAS IT?”
Like it wasn’t annoying enough.
I never understood the purpose of this.
Unless you are REAL stupid levels of lucky to have one of the mandatory password changes the day after a compromise that you werent aware of, all mandatory regular password changes do is make people use less secure passwords.
There’s no purpose. It’s 100% security theatre.
Nothing like TSA level security.
Technically it reduces the window for a successful brute force.
That said, it comes with serious drawbacks. Mainly making them impossible to memorize, so then users end up just writing them on post-its and putting them on their monitor. Or other equally dumb things.
Once upon a time it was a recommended best practice both by NIST and Microsoft if I recall. Both deprecated that practice years ago but most a lot of institutional inertia keeps it going, plus industry standards based on that time that don’t update as often perpetuate the problem.
So does mine, and we just got hacked. Almost like users make stupid passwords when required to change frequently.