Comment by manwe150

Comment by manwe150 a day ago

11 replies

View on Hacker News

I think I like this idea that the rotation interval could be made proportional to length, for example doubling the interval with each additional character. Security standards already now acknowledge that forced yearly rotation is a net decrease in security, so this would incentivize users to pick the longest password for which they would tolerate the rotation interval. Is yearly rotation too annoying for you? For merely the effort of going from 12 -> 14 characters, you could make it 4 years instead, or 8 years, 16, and so on.

connicpu a day ago

Can confirm when I found out I'd be required to regularly change my password the security of it went down significantly. At my current job when I was a new employee I generated a secure random password and spent a week memorizing it. 6 months later when I found out I was required to change it, I reverted to a variation of the password I used to use for everything years ago with some extra characters at the end that I'll be rotating with each forced change...

Reply View 9 replies
  • jimmaswell a day ago

    I do the same but write the number at the end of the password on the laptop in sharpie. I work from home so I've been thinking about making a usb stick that simulates a keyboard with a button to enter the password.

    Reply View 2 replies
    • immibis 17 hours ago

      Dangerous. You might accidentally press the button in a group chat.

      Reply View 1 reply
      • 3eb7988a1663 10 hours ago

        They would then have an excuse to get one of those mission control button covers.

        Reply View 0 replies
  • byproxy a day ago

    Why not make use of a password manager?

    Reply View 5 replies
    • Aeolun a day ago

      You can’t open the password manager until your computer is unlocked.

      Reply View 2 replies
      • isomorphic- a day ago

        You can put the password manager on your phone or another device.

        Reply View 1 reply
        • denkmoon a day ago

          and now you’re violating a different policy.

          Reply View 0 replies
    • connicpu a day ago

      I'm not pulling my phone out every time I have to unlock my computer at work. If IT wants my work account to be secure they should change their policies.

      Reply View 1 reply
      • edoceo a day ago

        As discussed here, the policy is from outside the org.

        Reply View 0 replies
butshouldyou a day ago

Unfortunately, lots of end users refuse to read the password policy and won't understand why their password reset interval is "random" or shorter than their colleague's.

Reply View 0 replies