Do I really need a password like this?

[Roggio]

This is excessive IMO

 

[chipmunkofdoom2]

From someone who works in IT, it does seem a bit excessive, especially when shorter, more complex passwords are not more secure. A much better solution would be longer passwords. Or enabling 2FA, such as an authenticator app or text to your phone when you try to log in.

 

[Abraham Gonzalez]

From someone who works in IT, it does seem a bit excessive, especially when shorter, more complex passwords are not more secure. A much better solution would be longer passwords. Or enabling 2FA, such as an authenticator app or text to your phone when you try to log in.

While I completely agree with you concerning two-factor authentication (2FA) or longer passwords as opposed to shorter complex passwords the default security complexity requirements in most servers were placed there to deter passwords such as (password, monkey, nameofindividual, etc). I have worked in IT for many years as well and when given the opportunity many end-users will go for ease of use over even the simplest of security any chance they are given.

 

[Mandelstam]

Worst idea my IT department have is to force everyone to change their password every 90 days. That DEFINITELY forces people to use very simple passwords like name of family member plus a number that you just raise by one every time you change it. No way in hell I'm going to spend time coming up with a long and complex pw and then memorize it just to be forced to change it after 90 days...

 

[tastyfish]

Having worked in cyber security for 20 years, yes, minimum password complexity is needed as passwords such as "letmein", "password" and "password1" are still in the top 5 used.

Changing corporate passwords every 90 is a minimum, but user frustration and forgetting the mass of passwords we now have is a real problem.

Personally I insist on multifactor authentication on sites which hold sensitive data/services, but I have a simple password system for non critical sites where my money can't be spent/information on me held.

 

[Roggio]

This is accessing testing results on my home aquarium. I’m not accessing the pentagon remotely. Also I had the email authorization sent and it never showed. There’s no option to have them re send it so i’m stuck using another email I didn’t want to (yes I checked my junk folder). I’m greatful we have this testing now but there’s also other options. This is enough for me to at least shop around next time.

 

[chipmunkofdoom2]

While I completely agree with you concerning two-factor authentication (2FA) or longer passwords as opposed to shorter complex passwords the default security complexity requirements in most servers were placed there to deter passwords such as (password, monkey, nameofindividual, etc). I have worked in IT for many years as well and when given the opportunity many end-users will go for ease of use over even the simplest of security any chance they are given.

Right, I understand why password rules exist. I also understand why password, monkey and nameofindividual are all terrible passwords. My point was not that there should be no password restrictions at all. My point was that the type of password many sites and enterprises generally recognize as safe, a short password with a few special characters, is largely ineffective today. With the availability of hashed password databases and very cheap computing time, a standard "secure" enterprise password is trivial to crack. My first job in corporate IT was desktop support. There were only a handful of users who did NOT have their current password, along with their last few, written down somewhere. It doesn't really matter how resistant your company's passwords are to bruteforce cracking: if the janitor can log into the computer just by walking in and steal your company's trade secrets, your password policy has failed.

Corporate IT security has had a pretty bad track record over the past decade or so. If you want proof, look no further than all the data breaches of high-profile corporations who should know better. We need a different approach to password security and hygiene. Short and complex passwords are not the answer, and I think people are getting tired of the security theater.

 

[Mark Derail]

Passwords ideally should be three characters !!! But no length limits.

Example of 3 characters password:

MickeyMouseMinnieMouseDonaldDuck​

The above password is superior to: Mickey!2009

Tada

 

[RobertP]

I work in IT as well and the longer more complex passwords are the best. The best advice I can give is to make up a phrase similar to what Mark shows using upper and lower case.

One thing I recommend is a program called KeyPass. It is a program that holds your usernames and passwords. You need to remember a complex password to get into it but then you can house all your usernames and passwords for various websites. Best part is it gives you simple copy features to copy the username and paste it into your website. It will even generate long complex passwords for you.

 

[dstienmann]

Worst idea my IT department have is to force everyone to change their password every 90 days. That DEFINITELY forces people to use very simple passwords like name of family member plus a number that you just raise by one every time you change it. No way in hell I'm going to spend time coming up with a long and complex pw and then memorize it just to be forced to change it after 90 days...

This

Im the Sysadmin for a Aerospace Co we have these same password requirements from the DOD and they just make it worse, yes everyone has the easiest password and just ups it by 1 or the really smart ones will write it under their keyboard

 

[Abraham Gonzalez]

Right, I understand why password rules exist. I also understand why password, monkey and nameofindividual are all terrible passwords. My point was not that there should be no password restrictions at all. My point was that the type of password many sites and enterprises generally recognize as safe, a short password with a few special characters, is largely ineffective today. With the availability of hashed password databases and very cheap computing time, a standard "secure" enterprise password is trivial to crack. My first job in corporate IT was desktop support. There were only a handful of users who did NOT have their current password, along with their last few, written down somewhere. It doesn't really matter how resistant your company's passwords are to bruteforce cracking: if the janitor can log into the computer just by walking in and steal your company's trade secrets, your password policy has failed.

Corporate IT security has had a pretty bad track record over the past decade or so. If you want proof, look no further than all the data breaches of high-profile corporations who should know better. We need a different approach to password security and hygiene. Short and complex passwords are not the answer, and I think people are getting tired of the security theater.

I understand your stance and I agree with you completely two-factor authentication and passphrases (longer passwords) are a much better way to execute security in an IT environment. I was only making a statement as to why these now antiquated security requirements were implemented and that many older machines are still restricted to these requirements. I believe a password "vault" such as Keepass as suggested by RobertP would help in managing the many passwords that our modern environment requires.

 

[SurfLife]

This is accessing testing results on my home aquarium. I’m not accessing the pentagon remotely.

Exactly what I thought when first visiting the site.

 

[jzw]

uber irritating

 

[EmdeReef]

I use a PW manager ( lastpass, it's free) but many other on the market. Integrates well in the browser on laptops and phones/ipads. Can even change your passwords automatically. The downside is that I don't know ANY of my passwords anymore

 

[Titus]

I use LastPass password vault and love it. It's password generator is great, and it will auto-populate the password on both my computer and phone browsers.

 

[ioarnunz]

When using secure methods to ensure the reliable operation of your business, I use two-factor authentication of users with the generation of one-time passwords through universal security tokens. subsequently, roundcube email provides additional reliability and makes this approach very convenient for users of any level.

 

[K7BMG]

My passwords are not intelligible.
I create passwords by turning my keyboard upside down and randomly typing at least 12 characters.
I will then choose various letters and capitalize them and add the special character if needed.
Of course this is only for sites and systems that must be secure.
The rest I have a generic PW.

 

[gray808]

It depends on what the site that has the password is.
Does it have any valuable information stored? Credit card info, etc?
If it's just a forum... yes, it's excessive.

But.

Use a password manager (I use LastPass, and can recommend it), and use it for everything. It will make a password as complicated as the site needs, and all you need to do is remember the main password manager password. I use it for everything that needs a password, except super high-risk things like my bank login. For those, I have my own, strong, complex password.

--Gray

 

[Deanna Lee]

Thank you

 

[BeanAnimal]

This is excessive IMO

Insanely silly... As are most similar requirements. They make passwords harder to remember and beg for serialization every time you are forced to change it.

2 or 3 dictionary words with a number or special care in between one or two is easier to remember and has just as much (or more) entropy.