Consider Changing Your Password?



  • OK, hands up, how many of you immediately change your Windows password when you get the pop-up bugging you that you only have X days left until it expires?
    related

    And how many of you are like me, and REFUSE on general principle to change it until FORCED to do so? Sometimes, it ends up expiring on a weekend, which means I get an extra 2 days on it before I have to change it. That makes me unreasonably happy. Microsoft and site admins with the password change policy, you know what?
    HOW ABOUT ... NO?



  • Fuck passwords, give me 2factor and a easier password every day.


  • sockdevs

    @Vaire said:

    OK, hands up, how many of you immediately change your Windows password when you get the pop-up bugging you that you only have X days left until it expires?

    for personal, pretty much immediately.

    For work, yeah that too, or at least the monday immediately following getting the warning (i refuse to change it on a friday. I'll forget it!)

    however for the past year i've had to be even more careful because we have a critical system application running under my domain credentails for the past year, database permissions error on rollout lead to me setting it to my credentials as a testing step and BOSS^3 ordered me to leave it because it made it work. (why was BOSS^3 even there on rollout weekend?!)

    and i've been begging for the time to take the application offline long enough to fix it, basically once a week. and i keep getting denied. so every time the password reset rolls around i have to be really quick changing it so the app keeps working and the salespeople never learn of our deception....

    :'(



  • I just started getting emails from work about this. They always start 20 days out. :wtf:



  • @Vaire said:

    And how many of you are like me, and REFUSE on general principle to change it until FORCED to do so?

    This. I mean, my exisiting password will still work for the time being. I don't see any advantage to changing it early -- all that means is that that stupid reminder will occur even earlier next time.



  • Ahh. The guarenteed life-will-end-oh-my-god event that happens shortly after you leave the company because no one remembers that little detail.



  • I dunno about you, but I find it more convenient to change my password early than to let it expire, get locked out of my account, and have to call and ask for my account to be unlocked so I can enter a new password on the "I didn't change it in time" form.


  • sockdevs

    @dcon said:

    Ahh. The guarenteed life-will-end-oh-my-god event that happens shortly after you leave the company because no one remembers that little detail.

    if they don't remember it's not fucking my fault. i've been trying to get them to let me fox it for a YEAR now.



  • @LB_ said:

    I dunno about you, but I find it more convenient to change my password early than to let it expire, get locked out of my account, and have to call and ask for my account to be unlocked so I can enter a new password on the "I didn't change it in time" form

    I just have to change mine when it's expired. If I had to deal with your :wtf:s, I'd probably worry about changing it earlier, too.



  • @accalia said:

    if they don't remember it's not fucking my fault. i've been trying to get them to let me fox it for a YEAR now.

    Agreed. That's the "I told you so" shit-eating grin you wear as you walk out :)

    And if they call you, "Sorry, I purged all that info from my brain. Can't help you. Unless you can afford :heavy_dollar_sign::heavy_dollar_sign::heavy_dollar_sign:"

    (:wtf:? ctrl+z undoes the last change and then selects all? fuck you :disco::horse:)



  • @accalia said:

    the monday immediately following getting the warningbefore it expires (i refuse to change it on a friday. I'll forget it!)

    FTFM



  • I always thought that hardware token + fingerprint + 4 digit PIN (birth year is not allowed) would be more secure than 99% of existing corporate systems.

    Also, a webcam constantly running a face recognition algorithm could be used to improve it even more, if implemented right.


  • Impossible Mission Players - A

    @accalia said:

    i've been trying to get them to let me fox it for a YEAR now.

    Submit a new ticket every week about it, referencing the last.
    That'll show them!



  • @accalia said:

    for personal, pretty much immediately.

    Your personal computer has a password expiration policy?



  • @Vaire said:

    Sometimes, it ends up expiring on a weekend, which means I get an extra 2 days on it before I have to change it.

    If my password expires when I'm not in my office, I can't get any e-mail on my mobile device or log in to the VPN to debug things remotely until I physically sit at my desk in my office and change it.

    The e-mails can usually wait, but if anything goes sideways I'll get a phone call, and it's really nice when I don't have to physically come in to fix it.


  • sockdevs

    @anonymous234 said:

    Your personal computer has a password expiration policy?

    well my home domain does because teh DC on my NAS came with that group policy by default, and i have yet to be arsed to change it.



  • Yeah, I get the e-mails too. That just makes it all the more delicious to ignore it until I am forced to change it.

    What they are basically asking is, "instead of being forced to change your password every 90 days, for no reason other than our IT drones are stuck in a 1994 computer security mindset, would you like to instead be forced to change it every 70 days?"

    Such convenience!



  • Meh, our security hasn't been implemented like that in the last 2 companies I worked for, both Fortune 100 companies. All that happens is, I am forced to change it upon trying to log on, once it has expired. :trolleybus:

    But, yeah, if it was setup where I got locked out, then I would be more diligent about changing it, but I would still wait until the absolute last day I could, before I did it. Because, stubborn.



  • @anotherusername said:

    If my password expires when I'm not in my office, I can't get any e-mail on my mobile device or log in to the VPN to debug things remotely until I physically sit at my desk in my office and change it.

    The e-mails can usually wait, but if anything goes sideways I'll get a phone call, and it's really nice when I don't have to physically come in to fix it.

    I specifically state in interviews that I am willing to work remotely outside of normal business hours, in an emergency. And, since it would be an emergency, I expect to be compensated at an emergency rate (read: triple my already very high rate). So far, nobody has pulled the trigger on that one. It is my way of being accommodating to real emergencies, while also drawing a clear line in the sand on encroachment into my personal time.

    I have had some companies get really uncomfortable during the interview when I have said that. In some cases I could tell we were done, and terminated the interview. In other cases, I could tell they decided to lie to me, in the hopes that they will pressure me to do it anyway after bringing me on -- I declined their offers. ;)



  • @Vaire said:

    I specifically state in interviews that I am willing to work remotely outside of normal business hours, in an emergency. And, since it would be an emergency, I expect to be compensated at an emergency rate (read: triple my already very high rate).

    Unfortunately, I'm an exempt employee.



  • @anotherusername said:

    Unfortunately, I'm an exempt employee.

    Oof, I feel your pain. Been there, bailed out :confused:



  • It's not so bad. It's pretty rare that I get called, and when I do, I can often either tell them what to do differently or just log in and fix it remotely.

    Then sometimes I take off early the next Friday (or whatever other day is convenient) to compensate myself for my time, with my boss's permission of course. He's also exempt and he understands that part of it, and he's pretty nice about it. He's even allowed me to take off some afternoons that I've needed for doctor's appointments without making me use any sick leave or vacation.



  • I ignore the warning until it forces me to change my password. Then I change my password, and then change it right back to the old one.



  • Not allowed to change password less than 3 days after the last change.

    Not allowed to use any of the previous 3 passwords.

    Needless to say, I just have 4 passwords, and they're not very different...



  • I just increment the number on the end by one. It at least gives you an algorithm for arriving at your current password from the one you remember...



  • Damn you, you've hacked my super-secret secure password methodology! >_</*



  • Now they'll all be fooled when you use hunter1 instead.


  • Winner of the 2016 Presidential Election

    @hungrier said:

    Now they'll all be fooled when you use ******* instead.

    Sorry, what?


  • Impossible Mission Players - A

    @accalia said:

    home domain

    Oh, you run a DC too? Adding to club [Name not defined], which currently includes @sloosecannon and @Tsaukpaetra

    @anotherusername said:

    Not allowed to change password less than 314 days after the last change.

    Not allowed to use any of the previous 320 passwords.

    Needless to say, I just have 421 passwords, and they're not very different...


    Yeah, our policy is weird. It's like they expect you to be here for YEARS...
    ... oh crap, I've been here for 2.4 years so far FFS!

    @tar said:

    I just increment the number on the end by one. It at least gives you an algorithm for arriving at your current password from the one you remember...
    Yep! Totally cactus since they can't catch on to that little life-hack, amirite?


    Filed under: Because my brother's initials and grade-school ID number are perfectly good sources for passwords, right?



  • @tar said:

    I just increment the number on the end by one. It at least gives you an algorithm for arriving at your current password from the one you remember...

    We have a policy that prevents that. They can't be too similar. So I have a list I rotate thru saved in KeePassX. At least I only have to do it every 6 months.



  • @Tsaukpaetra said:

    Totally cactus

    I guess.

    You crazy young people with all your phrases...


  • Winner of the 2016 Presidential Election

    @Tsaukpaetra said:

    Adding to club [Name not defined]

    Club Contoso?



  • @dcon said:

    We have a policy that prevents that. They can't be too similar. So I have a list I rotate thru saved in KeePassX. At least I only have to do it every 6 months.

    Sometimes you kind of have to admire the lengths that corporate will go to to get people to write their passwords down on post it notes...


  • Discourse touched me in a no-no place

    I increment a letter. I have just a few left before I wrap around...



  • @dcon said:

    We have a policy that prevents that. They can't be too similar. So I have a list I rotate thru saved in KeePassX. At least I only have to do it every 6 months.

    Yeah... no. If you are going to implement an insane password policy like that, imma immediately terminate the interview, or start looking for my next gig, depending on when I find out about that. Memorizing unique passwords (or bothering to store them somewhere) all for a process that hasn't helped computer security for years ...



  • @tar said:

    Sometimes you kind of have to admire the lengths that corporate will go to to get people to write their passwords down on post it notes...

    QFFT!


  • Impossible Mission Players - A

    @sloosecannon said:

    Club Contoso?

    Petition Entry noted. Awaiting further suggestions from club members...


    Filed under: I wonder if polls here can be dynamically created from posts...


  • sockdevs

    @Tsaukpaetra said:

    Oh, you run a DC too?

    yep. ah do at that.


  • Discourse touched me in a no-no place

    "too similar" cannot be actioned on anything but the immediately pervious password (which you are, after all, entering in the same form) unless they're storing plaintext forever.


  • Discourse touched me in a no-no place

    @accalia said:

    i refuse to change it on a friday. I'll forget it!

    Wimp.

    Create a 6 or 7-character base password, say Mul35! or something. Your next password is aMul35!. When that expires, you go to bMul35!, then cMul35! and so on. After z you get to use the capital letters. With quarterly password changes, you've got like 13 years, and by then you'll probably be able to start the sequence over!

    And Windows won't notice your password's only minimally changed, either.


  • Discourse touched me in a no-no place

    @LB_ said:

    call and ask for my account to be unlocked so I can enter a new password on the "I didn't change it in time" form.

    That's the nice thing about having a domain admin account--I can reset my own password if I get locked out!



  • I have local admin on my domain account, but not domain admin. Or something like that.

    I can install stuff on any computer, but I can't reset my password. Or anyone else's, for that matter.


  • Discourse touched me in a no-no place

    @Vaire said:

    would you like to instead be forced to change it every 70 days?

    Were these people involved in the fire extinguisher scam in a previous career?


  • Discourse touched me in a no-no place

    @anotherusername said:

    I have local admin on my domain account, but not domain admin. Or something like that.

    I could be local admin on my work PC, but I choose not to, since many of my users aren't.

    I have a domain admin account so I can do things on certain servers, including password resets via the BDC, or so I can do setup of new PCs.



  • @FrostCat said:

    the fire extinguisher scam

    Probably. At this point in my career, I put nothing past anyone. =_=


  • Impossible Mission Players - A

    @FrostCat said:

    That's the nice thing about having a domain admin account--I can reset my own password if I get locked out!

    Wait, what? If you're locked out, how do you reset your password?


  • Discourse touched me in a no-no place

    @Tsaukpaetra said:

    Wait, what? If you're locked out, how do you reset your password?

    The domain account password never changes, so I log in with that on the BDC and reset my password.



  • @Weng said:

    unless they're storing plaintext forever

    Technically there are hashing methods that are designed to give similar results from similar inputs which could let you fake it (though it also makes cracking those hashes easier), but really would you be surprised that a large company was storing passwords in plaintext?



  • @dcon said:

    We have a policy that prevents [incrementing a number at the end]

    That's why I have two numbers, one at the end, one in the middle.



  • @locallunatic said:

    there are hashing methods that are designed to give similar results from similar inputs

    Isn't avalanche effect pretty much raison d'etre for hashing in general?


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.