I wonder how much of this stems from two stupid IT policies. For decades users have been told to not write down passwords and to change them regularly. The result of this policy is to use a small number of password variations that one reuses. Then IT complaims about it.
The better plan has always been to use long random passwords that you never reuse and write them down by some method like a password manger and only change them rarely for example when they may be compromised,
My workplace has finally gone to passphrases and 1 year password life, which is nice as it’s a password I often need to type, so I’d rather 20 easy to type and memorise chars than 16 random
I remember asking my company if they have official password management software in my job before my last job. They did not. I can’t believe we have all this specific software to be used at the company but they don’t put some time to identify what they want employees to use for this. Funny thing is security teams are such big deals but I think they actually don’t want to get involved in case it does not work out.
I wonder how much of this stems from two stupid IT policies. For decades users have been told to not write down passwords and to change them regularly. The result of this policy is to use a small number of password variations that one reuses. Then IT complaims about it.
The better plan has always been to use long random passwords that you never reuse and write them down by some method like a password manger and only change them rarely for example when they may be compromised,
My workplace has finally gone to passphrases and 1 year password life, which is nice as it’s a password I often need to type, so I’d rather 20 easy to type and memorise chars than 16 random
I remember asking my company if they have official password management software in my job before my last job. They did not. I can’t believe we have all this specific software to be used at the company but they don’t put some time to identify what they want employees to use for this. Funny thing is security teams are such big deals but I think they actually don’t want to get involved in case it does not work out.
Lot of security is theater. IT doing a CYA thing.