
49% of workers, forced to change passwords, reuse same one with minor change - pwg
https://www.grahamcluley.com/49-of-workers-when-forced-to-update-their-password-reuse-the-same-one-with-just-a-minor-change/
======
hwbehrens
This should not be a surprise, as this supports the NIST's revised
recommendations (from June 2017!) that passwords should _not_ expire [0],
because it actually leads to less-secure passwords for this exact reason.

Furthermore, many corporate systems do not integrate well with password
managers, such as when first logging in to your system in the morning. This
means that the password is likely to be one of the few that must actually be
memorized. If you ask me to memorize a 32-character random string, I will, but
I won't memorize a different 32-character string every 6 months!

[0]:
[https://pages.nist.gov/800-63-FAQ/#q-b05](https://pages.nist.gov/800-63-FAQ/#q-b05)

~~~
orand
Bruce Schneier's summarization [0] of NIST's revised recommendations:

1\. Stop it with the annoying password complexity rules. They make passwords
harder to remember. They increase errors because artificially complex
passwords are harder to type in. And they don't help that much. It's better to
allow people to use pass phrases.

2\. Stop it with password expiration. That was an old idea for an old way we
used computers. Today, don't make people change their passwords unless there's
indication of compromise.

3\. Let people use password managers. This is how we deal with all the
passwords we need.

[0]:
[https://www.schneier.com/blog/archives/2017/10/changes_in_pa...](https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html)

~~~
trianglem
I agree with all of this except password managers. If you use a lot of
different public computers or temporary work laptops they don’t always let you
install LastPass, so I frequently ended up being unable to access my accounts.

~~~
nickthegreek
I access my manager from my phone and type them in. I would never install my
LastPass on a public computer even if they let me.

~~~
fluidcruft
It would be really cool if you could plug your phone in and it appeared as a
USB keyboard device and you could "type" the password from the password
manager that way without ever giving the computer access to anything except
that password.

Maybe some sort of simple USB dongle (like a yubikey) could be fed by the
phone via bluetooth or nfc to do this?

~~~
peteretep
It would be even cooler if I could open an app on my phone, point it at a QR
code on screen, and not have anything else bother me

~~~
wcip
Would you sue me if I tried to implement this? That is a amazing idea.

~~~
freehunter
This has been done already, so no. There’s prior art. Look up Clef for one
example.

[https://en.m.wikipedia.org/wiki/Clef_(app)](https://en.m.wikipedia.org/wiki/Clef_\(app\))

~~~
flurdy
I had high hopes for Clef, but unfortunately, it never got the traction it
needed.

That would require each site to implement server-side components to talk to
Clef, and most sites have been ice age slow to implement basic TOTP never mind
yet another method.

Now, if the big existing OAuth sites, your Google, Facebook, Okta, etc
implemented a QR code method like Clef then it might work.

------
vikramkr
Only 49%? That's way lower than I would have expected, I wonder if there were
people in the survey that weren't willing to admit it?

~~~
meragrin
Nah, the other half just write it down on a sticky note and place it on their
monitors.

~~~
PeterStuer
Which is just fine given that most threat models involve pure digital attacks.

------
teekert
Of course we do. My password manager does not work for the Windows login and I
need to change it every 3 months. I can remember 1 large complicate pass-
sentence, but not a different one every three months.

~~~
vlunkr
For cases like these I semi-seriously suggest using a keyboard with
programmable macros. Usually people laugh it off but I think it's not the
worst idea. Almost no one I know would know how to find and execute a macro on
my keyboard, if they even considered looking for a password there.

~~~
clarry
One better: a password generator in keyboard.

You give it a master key and a short code, it derives a password from those
two.

Doesn't work in organizations that don't let you bring your own custom
hardware though :C

------
caconym_
I did this at my old job where they forced regular PW changes. The thing that
changed was the string of digits at the end, which was always the year and
month I was last forced to change it.

Of course, for my personal logins I use a manager and unique strong passwords,
but they gave me no reason to care about password security and a bunch of
reasons not to.

Honestly I'm surprised it's as low as 49%.

------
davidmurdoch
We had a password change rule at a company I worked at because QuickBooks
required it. Because QuickBooks required it upper-management decided that ALL
other passwords were required to be changed as well (email and desktop
passwords, for most employees).

Because time is money, and the employees' time was all chargeable at about
$250/hour, the IT guy was tasked with the job of changing everyone's password
himself right before the 90 days were up. He just kept everyone's passwords in
a password manager, and the "Notes" field contained the password change
pattern the user wanted to follow.

Being the IT guy's manager I was able to exclude myself from these crazy
shenanigans, but no one else was so lucky. In fact, many people asked for
their passwords to be synced by the IT guy for other services they use at
work!

------
orthros
My work required me to change passwords every 90 days. I worked there for 8
years. My first password was [password]1 and my last one was [password]34.

I'm guessing this isn't what they had in mind.

~~~
Liskni_si
There's actually no need to really change the password. The check for used
passwords has its limits, so after going through [password]1 to, let's say,
[password]20, it lets you use [password]1 again. A script (for loop with
smbpasswd, for example) can do this in a few seconds.

------
AdmiralAsshat
No sympathy for the organizations that implement these stupid password
requirements in the first place.

a) Passwords that are secure.

b) Passwords that can be remembered.

c) Passwords that must be rotated regularly.

You can pick two of the above, and it can be done. But you're not getting all
three.

~~~
all_blue_chucks
You should have some sympathy. Outdated regulatory standards like PCI:DSS
require things like this. It isn't always your employer's choice.

------
obelos
I used to have to deal with an enterprise system that required quarterly
password changes. The interesting thing about this system was it would refuse
to let you set a new password that wasn't sufficiently different from the
previous several passwords... Which almost certainly means they were
implementing this security measure by storing the passwords in plaintext on
the server.

~~~
_ah
You could take the first N characters of the password and store that as a
secure hash. That would catch people choosing password1, password2, etc (but
wouldn't help much with 1password, 2password...)

~~~
cgriswald
Strip all the non-letter characters and hash that.

------
stevenicr
I used to set many passwords with slight variations.

One day I turned on failed login pass capture on a couple of wordpress web
sites. I did see some of what I expected, they tried many of the most common
passwords,

what surprised me is that they also attempted all kinds of similar variations
that included words that our sites might use, but were not in the most common
used pass dictionaries.

So they were not just using dictionary and common pass attacks, they were also
attempting ones and slight variations of ones that may or may not have
included that common things, plus site specific things, then with slight
variations.

That was kind of spooky, and had me change up how I set up some things for
other people.

------
Vomzor
The thing I hate the most is random websites forcing you to use a password
with "at least 8 characters, capital letters, numbers, .." I only care about
my email account and a couple of other important websites. I want to be able
to use the same simple password on other websites. So what if my account on
pinterest or my local news website or some random forum is compromised... I
don't care. I will either reset my password or make a new account.

~~~
clarry
> The thing I hate the most is random websites forcing you to use a password
> with "at least 8 characters, capital letters, numbers, .."

You can come up with a simple and easy-to-remember phrase for those. If it
expresses your irritation with those rules and annoying mandatory logins, it's
easier to remember. For example, FuckOff1234!

~~~
thiagomgd
same here I have good passwords on my password manager for things that I care
about a password for things I don't care that much enough to use the manager
and a password for throwaway stuff

------
petercooper
There was an entertaining tale about this in Henry Marsh's _Do No Harm:
Stories of Life, Death and Brain Surgery_ (he's a very significant figure in
brain surgery in the UK).

There's a lot to it, but it came down to running around the hospital getting
mad with the new digital system for looking at X-ray pictures rather than
having them in physical format. Given one of the admin's passwords to try (it
was something quite rude like "fuckoff"), he still couldn't make it work, and
was advised that they were forced to change passwords every 30 days and to try
"fuckoff2". It turned out the actual password was something like "fuckoff4"
due to the time that had passed since the password had been shared around the
department.

 _Edit: Found another recollection of the tale
here:[https://www.theguardian.com/books/2014/mar/30/do-no-harm-
sto...](https://www.theguardian.com/books/2014/mar/30/do-no-harm-stories-
brain-surgery-review-henry-marsh*)

~~~
octorian
Somehow this reminds me of a problem my father (who is a doctor) has often
complained about. Basically IT shitheads enforcing their policies on ALL
computers in the hospital, including those used in operating rooms.

So that means things like a screen (displaying important information) locking
from X minutes of inactivity, on a computer that the surgical team is
physically unable to "bump" periodically or type a password on, due to them
being scrubbed and sterile.

It reaches a point where you basically have to tell these people "Someone
could DIE if you don't change the fucking policy for our use case" to get
things to change.

~~~
jiggawatts
Conversely, computers outside the surgery are all on one big network in a
public space with random unsupervised people walking around at all hours. It's
very easy for someone to utilise this in a way that violates the privacy of a
patient in the worst possible way. Think nosy reporter looking for HIV status
of a celebrity, or abusive parents looking for their kids to stop them having
an abortion, that kind of thing.

I've been involved in the design of hospital computer networks, and I tell
you: meeting all the requirements at once is _hard!_

The system we designed used contactless smart cards and Citrix. The idea was
that as the attending doctors moved from bed to bed and ward to ward, their
desktop session would move with them.

The instant they logged on somewhere else, the previous terminal would lock
and the session would transfer to the new terminal without a full Windows
logon cycle. It was basically equivalent to disconnecting a monitor and
connecting a different one. No passwords were needed, they just had to tap
their id card once.

My challenge was that this has to occur in under a second, including the smart
card cryptographic authentication step, which was limited by the throughput of
the NFC chip on the card. From memory, it was woefully slow, and we had to use
the smallest compatible elliptic curve cipher available to make it acceptable.

Similarly, it was difficult finding a thin terminal device that was both fast
enough to do this, _and_ fanless so that it could be sealed against dust. This
was needed to prevent their warm insides becoming the perfect breeding ground
for antibiotic resistant superbugs.

~~~
octorian
This sounds like EXACTLY what Sun's SunRay thin clients used to do, back when
the rest of the *nix world seemed completely oblivious to this whole "hot-
desking" concept.

------
Shivetya
We call this the plus one rule at work.

I kid you not, those of us subject to rolling our passwords do just that. Add
one. One system had a restriction of not the same password within 32 changes
so inventive users were simply do that in one try until changes got limited to
once per 24 hours

------
pixelbath
From Microsoft in May 2019
([https://blogs.technet.microsoft.com/secguide/2019/05/23/secu...](https://blogs.technet.microsoft.com/secguide/2019/05/23/security-
baseline-final-for-windows-10-v1903-and-windows-server-v1903/)) talking about
how their new policy is _not_ to recommend regular password changes:

> When humans are forced to change their passwords, too often they’ll make a
> small and predictable alteration to their existing passwords, and/or forget
> their new passwords.

------
omgwtfbyobbq
I do this at my current job, character by character, as I'm asked to update
it. I think I have a mix of four different slightly modified semi-unique
passwords I've used in the past so far, so it's not great, but not terrible.

My password is currently 35+ characters, using upper and lower case letters,
numbers, and punctuation, and is not shared with any other account I have.
Even if someone were to get a list of other passwords I've used they would
need to correctly guess what passwords I'm using here, what modifications I've
made to them, what the order was, and where in the last password I've used I
am, since I append a single character at a time.

I also try to go out of my way to use the weakest passwords possible for non-
critical websites (eg subject specific forums) so if those are compromised the
only thing someone gets is my username plus a really weak password as opposed
to my username plus a relatively strong/unique password.

With that said, as I'm writing this, I acknowledge I should really start from
scratch. It's better to be safe than sorry.

[https://correcthorsebatterystaple.net/](https://correcthorsebatterystaple.net/)

~~~
dangom
That's an interesting idea, yet seems unsustainable. How would you deal with
typing such a long password on a mobile, for example?

~~~
omgwtfbyobbq
I'm not on mobile often anymore, but if I was it would be terrible and I would
probably switch to something smaller or just use a keyboard (otg/usb? I'm not
sure how secure bluetooth is).

------
MrMember
The password requirements at my job are, in my opinion, insane. It has to be a
specified length (an exact number of characters, no more, no less), can't
contain any 3+ character words found in a dictionary, and a few other
requirements like at least one capital letter and at least one number. And it
has to change every three months. So yes, when I have to change my password I
end up changing a single character or digit and calling it a day.

~~~
Sohcahtoa82
I've heard of banks setting a 8-character _limit_ on password length.

If my bank did that, I'd be searching for a new bank. Just just reeks of
passwords being stored in plain text.

~~~
JackRabbitSlim
IBM legacy in action. Nobody ever got fired for buying IBM, but some of them
probably should have been.

~~~
KC8ZKF
IBM? AT&T, more likely. Unix had an 8 character limit long after people knew
better.

~~~
rightbyte
Nothing would surprise me less than banks implementing a bank user accessing
the bank via the website as a Unix user on a system.

------
tracker1
My single biggest issue is weird complexity requirements... let me simply use
a relatively short sentence (15+ characters). If they limited requirement to
length only + a breach check, that would be enough and encourage a sentence.

"I really like sour grapes." is easy enough to remember and has plenty of
complexity... of course, it gets much harder on a mobile device, this is where
passphrase managers come into play though.

~~~
cgriswald
Random words, yes. With random words, you've turned your set of 40 or so
symbols into a set of 150K or so symbols, so it's fine that you've got fewer
of them in your password.

I'm skeptical about actual sentences. With an actual sentence more common
words will be chosen (so a smaller set of symbols), it will have a structure
(no need for an attacker to try, for instance 'noun noun noun noun noun'), and
people will probably choose from more common patterns: "I really hate
arbitrary requirements."

~~~
tracker1
I was just giving an example... there are a nearly infinite number of
sentences out there, even if they share a common structure. That said, it
doesn't have to make sense and I'd be okay with "noun noun noun noun noun" for
that matter. The point is, you hit a point where it's good enough and even
then if you _really_ need more security that's where MFA strategies come into
place.

------
kardos
> I have over 1400 passwords, stored securely in a password manager.

Is the password manager not a single point of failure in this model?

~~~
kevinsundar
Yes but you can protect your password manager with one incredibly secure
password. For example, 20 characters.

~~~
kardos
yes but if you get keylogged while using a pw manager, you lose everything, as
compared to losing one (or a few, depending on how egregious your passowrd
reuse is)

~~~
UncleMeat
If you have malware on your machine you already lose everything.

~~~
kerng
This is not true. If malware runs on your machine and there is no password
manager storing 1400 passwords, the malware cannot pivot to 1400 destinations.
However, if there is a password manager on the device that the malware gains
access to and it would indeed store 1400 passwords in one place, then all 1400
assets are compromised at once.

I think that's what the previous commenter wanted to highlight.

In the end it's about managing risks, I would use different locations for
storing passwords depending on value. Like really important ones go elsewhere
and are not on the device I use everyday for browsing the Internet or reading
email.

~~~
UncleMeat
You'll presumably access those services eventually. And for the huge majority
of people if they are memorizing a password for a infrequently used service
means using a shitty password.

"Even though the malware has access to my email, which I presumably login to
with frequency, and therefore can perform password resets for many services, I
might notice it and reformat my machine before I login to some other important
service" is not exactly a compelling threat model.

~~~
kerng
The comment didnt talk about memorizing passwords, it's more about storing
password manager files offline for very valuable assets.

It would not be smart to store crypto currency private keys or recovery pass
words on main computer for instance.

------
fancyfish
My most memorable policy as an end user was as a consulting client for a huge
bank. On top of the usual length, character type, and password changing
requirements, the password could not use substrings of 3+ characters from any
of your prior passwords.

They were also required to pass a black-box “complexity” algorithm, and the
vast majority of passwords generated by my password manager inexplicably
failed this bar.

So every 6 weeks I would set aside about 20 minutes to generate new passwords
of varying length in my password manager until one would be accepted as the
new password.

~~~
other_herbert
The terrible implication with that is, is that somewhere the plain text of
your history of passwords was stored

------
num3ric
Pro tip: circular buffer it. First letter becomes the last every 3 months.

------
mouzogu
I use this time management software at work that forces me to reset my
password pretty much every time I open it.

What I'd like to know; why does this software require such stringent security.
Who wants to hack into my time-sheet and see how many hours I worked on some
boring project.

I also have one password to login to my laptop offline, one to login when it's
online and another to login to work mail as these three passwords are always
out of sync. Very annoying.

------
nkrisc
Companies should provide a password manager solution for their employees, if
they care.

They make us change it every 30-90 days, tell us not to write it down
anywhere, and don't want us to just add '1' on the end, but expect us to
memorize it. I'm not going to pony up my own money for a password manager to
use at work and try to make it work there. I pay for one for my own use and it
stays for personal use.

~~~
vitaflo
Since our company req a password change every 90 days, it's as easy as
appending the season and year to the end of your password. So right now it
would be [password]winter2020. Since seasons are ~90 days long it's easy to
remember and isn't just adding a "1" at the end.

------
gbronner
Most policies don't let you reuse the last N passords (N is often 5 or 10). So
standard practice is to start or end the password with a digit and increment
it when you are forced to. Better yet, digits are on the top row with the
symbols, so you can knock off 2+ categories without moving your fingers.

Most employees have a sincere desire to their work with a minimum of fuss, and
this does pretty well.

------
thrower123
Nothing like asinine password requirements, with frequent rotations.
Especially if it has absurdly low login failure counts before the account is
locked and requires manual intervention.

Some services it's easier to just bag their authentication and use the "forgot
my password" method every time like a one-time code. Especially if it a rarely
used service.

------
duelingjello
I'd say require using one of a list of 2-3 password managers. Then, the user
has a master password that they can change if they want to, and can change
individual passwords with less effort. Allow writing master password on a slip
of paper kept in their wallet for a couple of weeks until they memorize it.

Within the password manager, there needs to be a way to automatically login to
their email account to verify accounts and change lost passwords AND a
standard way (Call it PWMAPI - the Password Management API) to change
passwords non-interactively within every service. Then, with one button in the
password manager, it can change all passwords at once, within a few seconds,
while keeping backups of old passwords in case anything fails. Heck, make it
an automatically scheduled periodic job the user can be notified to do.

 __This is how to make things easier. __

------
ineedasername
The surprising thing is that is's _only_ 49%. I kind of think that at least
another 40% are lying, and another 10% only _think_ their new password is
substantially different ("I used uppercase instead _and_ I incremented my
trailing counter from 10 to 11!")

------
the8472
I use a password generator (30 characters, numbers, upper/lower case, special
chars, ...) and upon being forced to generate a new one it somehow ran afoul
of $corporate-policy, probably not exactly the right mix of special
characters. After several tries I gave up and just incremented the old one.

I could have looked up the exact policy and adjusted the generator. But if the
policy rejects passwords with more entropy than most people memorize then I am
not particularly motivated to play along.

The same corporate policy also forbids bcrypt password hashing and suggests
using SHA2 instead because bcrypt is not "industry standard". Offering to use
scrypt or argon2 instead so far has been met with silence.

It makes me question the expertise behind any security the company has.

------
NedIsakoff
The company I work for requires a password change every 60 days and a history
of 9 passwords. Every other password I have in my 1Password so its ultra
strong and secure (I use a 5 word passphrase). For my login password I just
change the last digit in a loop between 0 and 9.

~~~
pivo
Pro tip: With a history of 9 passwords, change your password 10 times every
time you change it until you loop back to the original. That way you can use
the same password indefinitely.

~~~
epitrochoidal
I tried that one, but it doesn't work when there is another policy that says
you are only allowed one password change per day.

------
stilisstuk
My organisation has disabled built in password managers in both Firefox (semi
understandable) and chrome and I assume edge. So there is that.

I can however install any Firefox extensions I chose. Enterprise architect is
not security vetted. But archimate is.

Some of this is hard. A lot is theater.

------
PeterStuer
Wonder how many % use the password reset as an effective one-time password
(unless cached) as they can't be arsed to remember the password complexity
rules for every single site thwarting their simple password variations scheme.

~~~
xamuel
For systems with automated password resets sent to email, what even is the
point of a password at all? It literally accomplishes nothing. Just get rid of
the password entirely and make checking email officially a part of the login.

~~~
Wowfunhappy
I find typing in a password (or letting my password manager fill it in) to be
_much_ more convenient than clicking a link in my email.

------
freeAgent
I would be shocked if it was actually that low. Doesn't everyone who's forced
to change passwords every few months simply increment a number or change a
single character?

I'm not afraid or ashamed to admit that this is what I do. However, with that
being said, I _never_ reuse passwords. If my password on any given service
(including work) actually did get hacked, I would change it to something
dramatically different and that would be that.

------
Jach
The other fun requirements that tend to go hand in hand with forced rotation
are max one change every day, and not repeating a previous password. But the
repeating password buffer is usually small. When I still cared I would have
[complexPassword], change it to [complexPassword]0, then for the next 10 days
I'd change it [complexPassword]1..9, and on the 11th day I could change it
back to [complexPassword] and be good for another few months.

------
smaddox
Only 49%? I sure as hell didn't come up with a completely original password
when promoted by a 90-day-expiration. I just incremented the appended number.

------
znpy
I wouldn't rely on strong passwords generated from users.

I'd try to integrate a second factor like physical token like a yubikey or
some otp code.

------
_trampeltier
First, we also have to change our password all 4 months or so.

But keep in mind, you can't use a password manager for logon. There are also
some special accounts multiple people use. The password in this account is
just something like "june.2019".

I guess the best solution would be a card (we anyway have one for the working
hours and pay coffee and snacks) AND a password.

------
tibbydudeza
Windows domain and 13 separate SAP logon's for the various products I work on
in Dev, QA and Regression as single SAP signon either costs too much money or
is hard to get right.

It has became a monthly ritual to reset them all when I got back from holiday
as I have forgotten them after 2 weeks away.

I tried various password managers and they all suck to some degree.

------
swiley
Shared secrets are a _really_ dumb way to handle authentication.

Set up a CA and sign the public keys for machines you provision to employees.
All the tools are there, most software supports it (not the iPhone of course,
although I’m sure there’s a hackish workaround that involves periodically
sending apple money to sign something.)

------
Ididntdothis
I think they should go with fingerprints. I have to change my password every
three months so I reuse the same password with a few numbers incremented. For
a while I created completely new passwords but constantly memorizing them got
really annoying.

That’s the problem with a lot of security recommendations. Often they are very
inconvenient.

~~~
Sohcahtoa82
> I think they should go with fingerprints.

Fingerprints are probably the least secure method of authentication possible.
Picking up your fingerprint off of something you touched and fooling a
fingerprint reader is pretty trivial. And worst, it's not something you can
change, so once your fingerprint is copied, it's compromised permanently.

Fingerprints _should never_ be considered a security feature. _At most_
they're a convenience feature.

------
rootusrootus
I'd bet it's more than 49%, to be honest. Everyone I know does it. Pick a good
password, add a digit to the end, then just increment until it rolls back
around. Ta-da!

Our IT server team has been using Microsoft's best practices from the 90s or
so, and never bothered to modernize.

------
tartoran
I find that we need to reinvent passwords. If you write a long sentence of
twenty words and you miss some letters the passwords should still match
somehow. Currently I can't imagine using long phrases for passwords as a small
change invalidates the whole thing./

------
harimau777
I'm still not entirely convinced that writing passwords down is such a
horrible idea. An opponent who is willing to pickpocket me or break into my
home to steal my password sheet is an opponent who will probably be able to
social engineer their way in anyways.

------
mnm1
Yes and sites that force such changes deserve to get shit passwords, get
hacked, and go the fuck out of business. If they are too stupid to understand
security, they shouldn't run a website. That includes companies like Microsoft
and Amazon that force people to change pw through systems that generally don't
work, fail randomly, and have different criteria for what constitutes a good
pw (depending which m$ server you get, it'll allow proper long passwords or
not). If people are using pw managers changing pw is never necessary. If they
are not it's useless. Either way, it's a nuisance that exists only because of
idiots implementing stupid shit they are too dumb to understand and forcing
the rest of us to jump through their dumb rituals to get LESS security than if
they didn't do any of this stupidity in the first place!

------
paggle
Of course they do. Very few people have the memory to recall different
passwords for every service, with capital letters and numbers and punctuation,
with no dictionary words, changing every 3 months.

------
cm2187
A password manager does no good if it is your windows password, probably the
most important one at work. Employees have to remember it, what else would the
creators of this security policy expect?

------
rs23296008n1
Hey Apple, etc

Whats with the 32 char limit? Are you storing my password in plaintext? Why
are passwords even limited in length?

Warm regards, Some guy who prefers passphrases and is sick of dinky little
passowrds

------
CriticalCathed
Guilty. Treating passwords like door codes is an unwise and inappropriate
policy. Ideally every user should have a unique passcode/account that is not
shared.

------
brenden2
When I was forced to do this, I would just change my password 7 times until it
was back to the original one by appending 1 digit/letter each time. Easy
peasy.

------
dragonelite
Usually for work i create a password that looks something like this
________*01 and everytime you needed to change just bump up the number.

------
AVGProgrammer
The other 51% is lying

------
tomc1985
Oh for fucks sake, why do people want to make using passwords so difficult?

No I don't want to memorize a unique string of random gibberish for every new
thing I log in to

No I don't want to use your shitty password manager with its half-baked
integrations that leave me hanging 30% of the time

No I don't want to come up with special variants of the passwords I know
because you have some stupid complexity requirement

Nearly every attack short of actually knowing the password can be mitigated
with 2FA, proper hashing+salting, thoughtful lockout policies, and rate
limiting.

Why are there so many people who want security to suck so much?

------
uses
It's strange to me that passwords exist in 2019. Somehow the best practice is
to use a passwords manager, which is an entire layer of poorly pasted-on UI
that uses hacks to intercept every login you make whether via app or website.
And I'm not saying password managers are bad, they're amazing for security,
it's just odd that password managers are the best thing we have because their
UI is terrible. It seems like these things should be handled at the browser /
device level for universal one-tap login.

------
rb808
My company has started using 2fa for every intranet app, so I have to get my
phone out a few times a day. Its going nuts.

~~~
notlukesky
SAASPASS can AutoFill both the passwords and the Authenticator codes as well.

[https://saaspass.com/](https://saaspass.com/)

------
president
There should really be laws governing security requirements for software
systems just like we have traffic laws.

------
mstade
Guilty as charged. (I guess I shouldn't really write this out on a public
forum. Oh well.)

------
dkaranth
The +1 rule at work is the minor change isn't it? Password1 Password2 And so
on...

------
fooker
50% of articles, forced to look legitimate, change the statistic by 1%.

------
makz
I just change the number at the end. I’m currently at number 8

------
otabdeveloper2
49%? Way too low, something's wrong with this study.

------
enriquto
The Diffie-Hellman protocol was published in 1976. Why some places still rely
on passwords more than 40 years later is beyond me.

------
mdip
Reminds me of the first job of my career.

We had a 30-day password reset policy enforced by Active Directory group
policy. I couldn't have told you what rules were required to get the system to
accept the password, but it well beyond the default/typical AD policy[0]. To
"enhance security", ours included a requirement that none of the prior 10-or-
so passwords could be used, had a 12-character minimum[1] which IIRC, required
also setting the "Store passwords using reversible encryption[2]". We allowed
30 bad logins, but a good login had to occur before lock-out or it required
tech staff intervention.

We would have been better off having a non-resetting password policy with a
reasonable minimum length. For the first 9 months of my career, I was top-tier
end-user support[3]. It took about 2-months before I stopped asking people for
passwords. 95% of the time, the password was "MonthNameYearNumber!!!!" with
bangs filling in the rest, i.e. "March19991!!!!!!!!", or some variation.
However, the frequency with which it was _exactly that pattern_ was amazing.
So that gave me 12 tries to get a password. I rarely locked out an account.

As is usually the case ... there's a law of unintended consequences. People
will seek to reduce the friction to getting their job done and aren't great at
assessing risk. In addition, the risk to an individual password is low. Even
the result of a successful breach of a user's password is often not
devastating to the individual who was attacked when that password is a LAN
login (chances are you're _not_ storing your own personal financial
information on your work PC).

One of the odder unintended consequences -- figuring out the appropritae
incantation to generate an acceptable password for the system was ... way more
difficult than it should have been. I'm fairly certain one of our security
tools was just broken. We had something that applied far more strict rules
about password history than what AD could enforce, looking _specifically for_
people using patterns, along with some other _odd_ ones, like "you cannot
repeat the same character", so "umbreLLa" was rejected. They, literally,
reduced the number of possible passwords that a brute-force attack would
require.

There was an interesting bug there -- we discovered that after the account was
created, if only one password was in the password history, it would pretty
much _refuse_ to allow any password that _didn 't_ contain half of the
characters, in the same place, as the prior password. Then, future required
password resets would refuse all passwords that were similar to the previously
rejected ones which were used on that account. However, if you used one of
those rejected passwords on an account that _hadn 't_ had them rejected on
that first reset, they would be allowed for _that_ user.

I'm guessing they reversed a boolean somewhere (no similar past passwords) and
that the security software stored a history of rejected passwords for future
validation (no idea why this would be done, but then, no idea why it'd be
illegal to duplicate characters), but security ditched all of those products
when AD was upgraded and the tools stopped working. I know one of the reasons
for the odd password rules were that we synced passwords to the Mainframe
accounts, and they had a set of nonsensical rules that were very similar.

[0] If memory serves, default was 10 bad passwords before 1 hour lock-out,
password had to have at least one number, one lower-case and one upper-case
letter with an 8-character maximum and 90-day reset.

[1] I believe there's a study or two that indicates somewhere around 7-10 is
typical for what a person can memorize easily. I've always wondered why. In my
childhood, memorizing a 7-digit or 10-digit phone number for several people
was something everyone did, so it's arguable that people my age have that
ability out of necessity. I wonder what would be found if that were re-done,
today, with people who are too young to remember days before speed-dial. Maybe
it has been: [https://abcnews.go.com/Technology/brain-memory-magic-
number/...](https://abcnews.go.com/Technology/brain-memory-magic-
number/story?id=9189664)

[2] This sounds horrifying when thinking about passwords in today's terms, but
storing as a password hash resulted in storing a Lan Manager Password hash
which is very low quality (fairly certain this is moderately improved in later
versions of AD but is still able to be enabled).

[3] I remember joking that we were helpdesk staff without phones; our "ticket
system" was voicemail/e-mail. Basically, if the helpdesk couldn't solve it
over the phone, we arrived at a cubicle, often with a screw-driver.

edit: bumped tab and accidentally hit "enter" for a newline ... submitting
before I was done :(

------
acollins1331
Not trying to set myself to be a target of hacking with this comment, but
what's wrong with that? Why does a password that wasn't hacked need to be
changed a lot? If someone is going to try to break into my account my password
being similar to one I used 6 months ago increases my vulnerability how?

~~~
SQueeeeeL
The point of changing your password is to prevent a password leak from
affecting your system. If an unauthorized user has a password they have access
until it's changed.

If the change isn't meaningful they can continue using credentials.

------
MFogleman
50% write their passwords down in a notebook or sticky note near their
computer[1]

1% use a password manager[1]

[1]%100 of these stats are assumed

~~~
zokier
Notebook is a password manager

~~~
Wowfunhappy
...which stores passwords in unencrypted plain text.

(Admittedly, the database is behind a very strong network firewall.)

~~~
war1025
I don't remember where I read it, but someone advocated for writing down
passwords because people are very accustomed to, and pretty decent at, keeping
physical items safe.

