|
Every place I've seen this password policy in place I've also seen sticky notes with passwords written on them stuck to the monitors of the user's computers.
|
|
|
|
|
This means they are storing all your previous passwords.
Do they guarantee you that their password storage is never going to be compormised?
|
|
|
|
|
Exactly.
If they get compromised I think they should cover every other system of mine that gets compromised.
Slap a lawsuit on them for that, make them pay for damages, and maybe they'll get rational.
|
|
|
|
|
Hopefully a salted hash of your previous passwords.
But given some of the code that keeps cropping up in QA, I wouldn't guarantee it.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Thanks. New learning today.
|
|
|
|
|
You have no need to store the old passwords... a one-way hash will do...
But if you store one-way hash what do you afraid of?
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
Kornfeld Eliyahu Peter wrote: what do you afraid of?
As Richard says: Go to QA and see what some idiots developers are doing in the real world ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
But of course... only speaking in theory...
(that's the reason that I try to avoid opening accounts on any site, and using google's login if I can)
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
Quote: This means they are storing all your previous passwords.
No, it doesn't mean that. They could be storing the hash of the password and reusing the salt on the new password.
|
|
|
|
|
They likely are only storing hashes of previous passwords.
|
|
|
|
|
|
I may climb a tower over multiple systems, the VPN, Active Directory, Global network, etc. All of them have different expiration policies so syncing up passwords is a real PITA. Don't give me the crap about they all should have different passwords, all those systems are part of the work ecosystem. Currently, I have 3 different passwords because of the timing. There's one of them that expires the fastest, that I can't figure out which part of the environment it controls since I rarely type it.
|
|
|
|
|
I found KeePass here in Code Project, and have been using it ever since. I think it is terrific and have had no problems with passwords since I started using it.
You should give that try.
|
|
|
|
|
Agreed. KeePass is awesome. I like the fact that I can keep the application and multiple password databases (work, home, etc.) on a thumb drive or equivalent so I can always have it with me.
|
|
|
|
|
Two Factor Authentication...
And EMAIL Me when the SECOND Factor Fails, as well as the IP Address.
Text me as well, and allow me to text back: BLOCK (and have it block the IP Address)
I have an encrypted file with HUNDREDS of passwords stored.
You know what PEEVES me... Companies who LIMIT the LENGTH of the password!
Come on! The password gets HASHED, store the hash. Salt should be unique per account.
I like to use: GUIDs + A word or two on each side. You CANNOT imagine the number of sites that won't even take a full GUID as a password.
Everything should have 2FA... IMO... Then password security is less important.
Also, some kind of internet blackhole for where these attacks come from. I used to see them attacking my server all the time, until I configured fail2ban to block on 404 and many other attempts. It took about 180 days before the hackers gave up and my banlist is reasonable.
|
|
|
|
|
My company does the same thing with corporate passwords, which we are required to change every 45 days. I therefore use the tried-and-true {password}{punctuation-character}{month} and change it on the first working day of every month. The punctuation character changes annually.
Software Zen: delete this;
|
|
|
|
|
I keep all my passwords in a password manager program (PasswordSafe), with the encrypted data file stored on DropBox so I can get at it everywhere. This allows me to use unique strong passwords everywhere. With just a double-click, any password is put on the clipboard for easy pasting into the password textbox.
Of course, that means there's one password I actually have to remember & type in myself, which means it's not particularly strong. So, of course, it's the most important --- the one to unlock my PC.
Truth,
James
|
|
|
|
|
... and I like it!
Only a Draper 45cc 2-stroke, with a 18" Oregon bar and chain, but it slices through fallen trees beautifully! Half an hour and it's gone to the firewood pile.
It's got that "friendly tool" feel to it as well - anyone who worked on British motorcycles (or even older Hondas) probably knows what I mean.
There's a spanner in my toolbox, that every time I use it, I'll lose a chunk of knuckle; a chisel that pushes the hammer towards your hand; a socket that fits perfectly but rounds the nut off every damn time; Unfriendly Tools. Every time you pick it up it feels "wrong" but you never know why.
This doesn't. It just feels "right", like it's there to help you rather than bite your leg off. I won't trust it - never trust a chainsaw - but I can relax and let it do the work. Nice.
I've just realized we get them in software too - VS is "friendly", it's like a eager puppy at times. C# is "friendly", if a little strict. FFMPEG is "friendly", if not user friendly. Corel Video Studio is user friendly, but downright hostile: it tries to get in your way as much as it can, until you go back to the FFMPEG command line hell.
Anyone else know what I mean here?
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
A good saw with a sharp chain is a wonderful thing.
Worked as a Timber Jack in my younger years and have been doing maintenance for 10 years on local trails so have plenty of experience with a saw.
This was my first saw a Stihl 090[^]
I'm not sure how many cookies it makes to be happy, but so far it's not 27.
JaxCoder.com
|
|
|
|
|
137cc? That's going to cut some big stuff - way beyond my meagre abilities!
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
It was late 70s, I was young and strong. Worked 10-12 hours a day in the woods cutting timber.
Could drop a tree on a dime. Good times!
I'm not sure how many cookies it makes to be happy, but so far it's not 27.
JaxCoder.com
|
|
|
|
|
Damn!
The first dirt-bike I ever got launched-from had a smaller motor. RM125 into 2 foot rocks at 50kmh - the power-band was just too much fun..
Oh noes, I'm too wide. Sheeeeeeeeeeeeee- * boom *. Sorry guys I have to leave. I'm meeting Dad in the city an' we're going to the international motor-show. Sorry about your bike Paul!
It wasn't until I got there and dad shoved a mirror in my face that I realized I'd been getting weird looks from people for the last hour. Bastards! Half my face was covered with a black mark from the inside of the helmet!
Gee the 90s were fun.
|
|
|
|
|
nice .. otoh, don't piss off a guy with a new chainsaw and a stack of body-bags with room in his freezer
|
|
|
|
|
That's evil.
You owe me a chainsaw pun!
|
|
|
|
|
OriginalGriff wrote: Anyone else know what I mean here?
Absolutely. I used to have a Bosch mains electric hedge cutter. It was awkward to hold and operate, and ripped rather than cut. I now have a battery operated Gtech with branch cutting attachment and it "does what it says on the tin". The difference between friendly and not is sometimes small, but always noticeable.
|
|
|
|