Your password must have at least ONE special character

I work in IT for a company.

Once I met two workers who had passwords written on their monitors.

It was the brand names. Think Samsung or LG.

>how to fire your entire company including the people that run the company

my strongest password is something along the lines of "IusedtoliveinthestreetnamesuchandsuchforXyearsnumberY"

I do concede the most practical options I see in the field are:
8 character minimum
3 attempts soft lockout. One unlockout by security questions. Next 3 attempts full lockout.

I see many financial institutions moving to 12-15 character minimums and cutting out the fluff, however. The places making this decision usually have intelligent security professionals in senior leadership.

Also, the conversation depends on what we're talking about. Web applications for customers I agree should have more relaxed password minimum requirements due to the volume of people. I'm mainly referring to internal business applications/active directory authentication.

Users are more likely to create a password worth a damn if they don't have to keep changing it.

Smart organizations do monitor password strength. They don't fire people who use shit passwords though, they just have an educational discussion and a change force.

>less than 15
>potentially using windows systems
No

kek I did that with my windows password when I was 10

It was Phillips

>One unlockout by security questions. Next 3 attempts full lockout.
Get rid of this security question nonsense. It's an annoyance to everyone and completely useless.

>Users are more likely to create a password worth a damn if they don't have to keep changing it.
sure, but an inherent weakness in passwords is that they have multiple points of failure:
- with you, if you accidentally your password or someone steals it from you (forces you to give it, keylogs you, etc)
- in transit (mitigated with TLS but not everyone understands only to log in on secured sites)
- on the server (mitigated slightly with salted hashes)

password rotation is good hygeine especially if you suspect your passwords may have been compromised. requiring two-factor auth is a suitable alternative but even then i would suggest to be mindful of where your passwords are ending up.

the ultimate solution is PKI: pubkey on the server, encrypted private key on the client, still uses a password if you encrypt the key, but has fewer points of failure

>choose password
>ᚭᚽᚿᛆᛌᛐᛓᛙᛧ

Attached: 1510221118476.jpg (480x525, 199K)

>street shitter tries to get in my facebook account, and it requires me to change it with a prompt
>you used this password 1 year ago!
>you used this password 3 years ago!
>you used this password 5 months ago!
>you used this password 2 years ago!
>mfw

Attached: angry froggo 2.jpg (225x225, 6K)

>reusing old passwords
dumb frogposter as always

>must call help-desk to reset

my fucking sides

>use unique passwords
>forgets password because there's too many

>what are password managers
>what is randomly generating passwords

>tfw password is just a bloodborne gem farming dungeon glyph

Attached: 1497280705198.jpg (632x548, 43K)

password manager

Attached: 4L_3pGevvKf.png (488x463, 28K)

password managers are useful though friend

Attached: 1526774318791.gif (300x300, 827K)

I am a password manager, memorising techniques.

good password managers make my peepee hard

>trusting an app not to phish your passwords

>not knowing

Attached: 1505677927727.jpg (349x328, 13K)

>he knows not

Attached: WVkJaJA.jpg (640x480, 37K)

>you do not know

Attached: 1485447520902.jpg (680x691, 361K)

Then you would be harder than ever before since you met me.

how could you not know?

>your password must have at least one capital letter and needs to be alphanumeric

>your password must include the words "i am" and "gay"

>your password can not include certain characters

Attached: 1506956624951.jpg (938x477, 35K)

I've never fallen for a fake password manager if that's what you're asking

I simply don't trust having it written down anywhere

>• Auto lock out after three attempts. Must call help-desk to reset.
>Must call help-desk to reset.
>Must call
This kills the startup.

Attached: 1527199630726.png (595x547, 289K)

here is my password
𓂺𓂺𓂺𓂺𓂺

>pick a password that has capital letter, greater than 12 letters, one symbol, numbers, e.t.c.
>use same password on different website
>your password cannot contain that symbol
Mfw

>your company must hire at least ONE special employee

Attached: 1472823133697.jpg (300x222, 9K)

>your password SHOULD have at least one special character
>trying to set a password with - or + throws an unspecified error

Even NIST recommends no automatic expiration

so?

hey dude, hackers haven't been able to crack your password yet, so you had better get a new one!

Absolutely, and some other dickhead can easily lock you out if they have your username. Consider a minute lockout and/or recaptcha

>Auto lock out after three attempts. Must call help-desk to reset.

How many idle IT technicians you suggest a company has on standby to reset passwords for in a company of 1,000 people who are "not very good at computers"?

>not adding !@# to the end of every password

right

>des
>dualec prng
>p251
>caring about what NIST recommends
>2015
funny joke

>• Minimum 12 characters
>• Auto lock out after three attempts. Must call help-desk to reset.
eat shit

>be me at work
>min 9 char, complex required
>avoid l33t words because I know what a dictionary attack is
>decide to use a 10 character password, 8 char plus ja, fe, ma, ap
>change password yearly
>this month, 3 months into my cycle I get informed that password breaks password history requirements
>M@arch2018 here I come

I think that I am more pissed that they are storing my password unencrypted than the bullshit that is a unique password every month.

>Unable to use any of your previous Passwords
So there's a Database of everyone's old Passwords? How is that useful?

Password01, Password02, gee i wonder what his current password is...

won't they just know the password hash...that's how they'd compare if they're the same or not.

>>M@arch2018 here I come
I've got it down to the seasons

Attached: 1527486943721.jpg (750x1110, 322K)

if they are only hashing then 1 char diff will not trigger password history requirements.

pssstt..there is an unhashed copy

The lockout thing is good in theory, but becomes a headache if you have multiple things trying to use the same system for authentication. For example, say you did a password reset for someone, but their phone was using those credentials for wireless EAP authentication and it tries repeatedly to connect with the old password and relocks their account shortly after you unlock it.

it should be freedom over security. let me choose how long my password should be

This tbqh, I can't believe that there are still faggots struggling with 8 character passwords
I use a keepass db with a 28 character password that includes lowercase, uppercase, numbers and a few symbols. I've memorised it but also copied it on a couple of small pieces of paper and stashed them around my house if I ever forget it. Every password I use besides that is different and at least 20 characters, including alphanumericals and special characters.

>that password has already been taken

Attached: 1515032175360.jpg (960x1240, 136K)

>use one capital letter, number and special character
>*password*A1!

Attached: 1499732913324.jpg (500x323, 24K)

Why even use a password if access to your email can send a recovery reset for everything?
Just set passwords to gibberish and get a recovery email for each login.

>your password is too long
>your password must contain ONLY numbers and letters

Attached: 1515908475193.jpg (600x600, 49K)

fpbp

How about these actually sane requirements:
- Minimum 7 characters.
- Entropy-based complexity requirements. Use zxcvbn to track entropy and require users to meet a minimum treshold when making passwords.
- Reject passwords on the 10,000 most common pw list.
- Test email-password combo against haveibeenpwned to see if user is trying to reuse a compromised password. This is obv a client-side js script and not server-side.
- If higher-ups insist on a lockout, make them soft IP-based lockout

Attached: CTEps7QWwAAN3z7.png orig.png (866x770, 103K)

>Note: the password is not case-sensitive
lost

Passwords should never be case sensitive. You save boatloads of money on less tech support for normies that forgot they had capslock on or can't remember what letters were capitalized.

Some passwords are converted entirely to numbers so they can be typed on a phone. So ABC2, 2bac, and 2222 would all be considered equivalent.

then why bother even having chars? just call it what it is: a pin code. every office computer has a numpad anyway.

Fuck if I know, ask Fidelity and probably some other companies. To be honest, I still find it easier to remember a string that happens to convert to numbers than something entirely comprised of numbers.

> exactly 8 characters long

Attached: 14211370165462.png (606x699, 568K)

>pic related

Attached: [email protected] (782x572, 17K)

Nice, now if you dislike another user you can keep locking them out by failing three attempts.

just put p@ssw0rd

thats what you get when password expiration is enabled

>Auto lock out after three attempts
This should be bumped to 10, but only apply it to the IP address and only for an hour.
>minimum 12 characters
Bump up to 14 but remove all restrictions other than "you must use at 5 different characters" to prevent passwords like "aaaaaaaaaa" being used.

>your BANK password must exactly be 8 characters
>the first 4 have to be numbers, the last 4 letters
THANK YOU BANK SAMA, I FEEL SO SECURE

Would be interesting to just run a dictionary attack on all attempted passwords. If it cracks user is forced to change on next logon.

Who here write down reminders for what passwords are for specific sites/applications?

I just write the letter, with or without capitalization and the symbols I use and that's enough for me to know what the password is without writing it down or having to memorize every single variant or different password

>Minimum 12 characters
>NO COMPLEXITY

Computer security consultant here. Do not do this.

~myfuckingpassword~

>Computer security consultant here. Do not do this.

fellow infosec too, my minimum password match 12 characters. no complexity (just a bunch of word, no number of special character)

I mean, you forget xkcd.com/936/

Should force users to input 4 words as their password instead [myDogsName][numbers] as they usually do

Another sysmonkey here, we encourage passphrases, but the problem is once our staff get out into the real world they get hit with "password must be between 8 and 12 characters long" bullshit.

Setting a maximum permissible length is the true crime.