• poop@lemmy.blahaj.zoneEnglish
        1·
        1 year ago

        Encourages users to just add a rotating number or other not too secure thing to their password. I know that’s what I did when I worked somewhere with that dumbfuck policy.

        • fadedmaster@sh.itjust.worksEnglish
          2·
          1 year ago

          Yep. My least secure password is the one I use at work because I’m restricted to 9-12 characters, can’t be sequential forwards or backwards including keys next to each other (abc, 123, qwerty), can’t begin with a number, must contain at least three numbers, must be at least four characters different from your last twelve passwords, and must be changed every 90 days. Oh and it can’t include your first or last name.

          Most of my coworkers just use a family members name and then change a few numbers at the end and keep a post it note at their desk with the numbers so they don’t forget it.

      • pkulak@beehaw.orgEnglish
        1·
        1 year ago

        The original idea was that you would take how long it took to brute-force a password, then require the password be changed before that. But we have better hashing now, like bcrypt, where you can tune it so that brute forcing anything would take 100s of years.

      • Reddit_Is_Trash@reddthat.comEnglish
        1·
        1 year ago

        I would imagine most users change their password by only 1 character, and maybe even in sequential order.

        When time comes to change the password, it becomes password1234 instead of password123. Or password234. Something easy to remember, most users don’t care about best security practices, and changing to a similar password is very convenient. Especially if it’s “only” for work stuff

    • Dubious_Fart@lemmy.mlEnglish
      1·
      1 year ago

      It was never best practices for anyone who had common sense.

      It just forced people to make insecure, easy to remember passwords, cause they were gonna be changed in again soon so why make it complicated and hard to remember.

        • pezhore@lemmy.mlEnglish
          1·
          1 year ago

          Psh… That’s amateur, I just keep incrementing the number at the end ‘password1’, ‘password2’, etc. Gotta fool the password reuse counter!

  • AnonymousLlama@kbin.social
    5·
    1 year ago

    Need the opposite costume, the overly eager sys admin.

    • wants to force password changes once a month for security
    • constantly changing security policies to reflect the flavor of the month
    • constantly sends out phishing emails tests, wonders why no one replies to any of his emails
    • Hotdog Salesman@programming.dev
      4·
      1 year ago

      My fucking uni is trying to move to passwordless, but you will always need a password to log onto any lab device, and to the wifi, so why?

    • idunnololz@lemmy.world
      2·
      1 year ago

      A website once complained my password contained 3 consecutive letters there were 1 away from each other. This was back when I used sentences for passwords. It was complaining about the word worst because of r-s-t.

      • TheSaneWriter@lemmy.thesanewriter.com
        1·
        1 year ago

        That’s wack. Passphrases are second only to random passwords generated by a password generator in terms of security, character proximity doesn’t matter with that much length.

    • magic_lobster_party@kbin.social
      1·
      1 year ago

      Sysadmin: “A clear indication of phishing email is the sense of urgency. We would never send out any email regarding urgent updates that needs immediate action.”

      Also sysadmin: “URGENT!!! You must update your system now before Friday!!! Click link here for instructions! Otherwise you will be locked out!”

      • AnonymousLlama@kbin.social
        1·
        1 year ago

        Spot on. We’re changing XYZ policy and we need everyone to do this training within the week. Wait, why’s no one opening my emails

  • HairHeel@programming.devEnglish
    4·
    1 year ago
    • Installs antivirus on servers that wrecks application performance
    • installs content filtering proxy that prevents developers from reading “hacking materials” like OWASP documentation
    • won’t let developers install anything on their own machines without filing a ticket and waiting 6 weeks
    • pushes unannounced antivirus updates that pop up OS security dialogs like “Netscan Antivirus would like to monitor all network traffic. Enter your password to approve”, and is surprised when users don’t enter their passwords.

    Your corporate IT guy

    • kd45@lemm.eeEnglish
      3·
      1 year ago

      We might work at the same company lmao. My laptop is borderline unusable due to all the monitoring garbage despite having really fast hardware

  • Dubious_Fart@lemmy.mlEnglish
    2·
    1 year ago

    I bet he also picks up USB sticks from the parking lot and plugs them into his work computer.

  • geekworking@lemmy.worldEnglish
    1·
    1 year ago

    Even worse is the CEO.

    He needs access to everything and he’s far too important to waste time with security.

    • Noughmad@programming.devEnglish
      1·
      1 year ago

      This is the reason why those scams are so successful:

      “Hi this is the CEO, wire $10000 to this account right now, we need it there yesterday. I don’t have time to talk, just do it. Bye”