I hate sites that make me constantly change passwords. it’s been shown time and time again that making users change passwords often decreases security by a pretty large factor, and yet a lot of sites still do it
Our workplace did that. You had to change every month and you weren’t allowed to just add a digit. It meant that people started writing their passwords on post-its stuck to the monitor.
Mind you, back in the 90s your password was the same as your username. It was very handy, because if someone went home leaving a document locked, you could just log in and unlock it. Our first “proper” IT professional was horrified.
Could be because OWASP now actively recommends against periodic password changes.
Ensure credential rotation when a password leak occurs, at the time of compromise identification or when authenticator technology changes. Avoid requiring periodic password changes; instead, encourage users to pick strong passwords and enable Multifactor Authentication Cheat Sheet (MFA). According to NIST guidelines, verifiers should not mandate arbitrary password changes (e.g., periodically).
I hate sites that make me constantly change passwords. it’s been shown time and time again that making users change passwords often decreases security by a pretty large factor, and yet a lot of sites still do it
Our workplace did that. You had to change every month and you weren’t allowed to just add a digit. It meant that people started writing their passwords on post-its stuck to the monitor.
Mind you, back in the 90s your password was the same as your username. It was very handy, because if someone went home leaving a document locked, you could just log in and unlock it. Our first “proper” IT professional was horrified.
Interesting, stopped seeing this a while back. Forced change after the inevitable hack though of course
Could be because OWASP now actively recommends against periodic password changes.