Remix.run Logo
mikestew 4 hours ago

”Finally, the company should have enforced a strong password policy that would have prevented our heroes from finding dozens of accounts with “winter2023!” as the password.”

Capitalize that “w”, and you’ve got a password that will pass most PWD policies. Why do they think it was “winter2023!” to begin with? In 90 days when the PWD expires, well, it will be spring of the next year, so…

The better idea is to require passwords with some real entropy, and get rid of expiring passwords. It’s not 1999 anymore.

alt227 2 hours ago | parent | next [-]

Expiring passwords are one of my biggest gripes, and I still see them everywhere

black6 4 minutes ago | parent | next [-]

Due to corporate IT working its fingers into everything vaguely computer related, I now have to annually change the passwords that operators use to log onto the HMIs on my OT network (which has no connection to the greater Internet.)

That means I now get calls after hours for a couple weeks (allowing for all shifts to cycle through) from operators who are locked out of their ops stations. I can't send the password via email, obviously, and word-of-mouth is inconsistent at best. So I'm left with the sticky note under the keyboard or stuck to the monitor, which the operators won't read anyway.

grg0 2 hours ago | parent | prev | next [-]

Expiring passwords and length limits. Why can't my password be a 5KB long? My password manager has no limits. Are people storing them in plain text in 2026?

ryandrake an hour ago | parent | next [-]

And content limits. Why can't my password contain the % character? No special characters? What makes a character "special"? Why can't it contain emoji? So many password systems go to great lengths to remove potential entropy and randomness from passwords with their rules. The usual excuse is "blah blah blah legacy systems" which is not a good reason.

fph an hour ago | parent [-]

Personally, I wouldn't use anything beyond ASCII in a password. I don't want encoding bugs to lock me out of my encrypted partition or bank account, thank you very much.

sgc an hour ago | parent | prev | next [-]

I ran into a website for work that would let you create a long password, but silently truncate it to 12 characters before saving. Mind boggling.

halJordan an hour ago | parent | next [-]

This is the best. Especially when the password is being autotyped by the pw manager and so you never see the truncation and now have a bad pw saved in your manager. Alongside a restrictive password policy with no ui explaining what the policy is.

j4k3 an hour ago | parent | prev [-]

This happens on some HP printers too, the web interface lets you happily enter lengthy passwords, but doesn't bother telling you it truncated the entry at 16 or 12 characters.

mschuster91 an hour ago | parent | prev [-]

I wouldn’t trust enterprise internet security boxes to not trip on such long text fields.

wpm 2 hours ago | parent | prev [-]

My company does it to our phone passcodes. 90 days.

mikestew an hour ago | parent | prev | next [-]

Replying to my own post: wait a minute, why are there so many accounts with the same password in the first place? Oh, because "dozens" of people are tired of changing their password every 90 days, and someone piped up on an email thread (with the subject line: "Changing passwords all the time is bullshit!", I'm sure) and said, "I just set it to $SEASON$YEAR'!'. Easy to remember, fits the policy."

And now you have a system that is far less secure than if you just ditched the expiration policy to begin with.

Xeoncross 4 hours ago | parent | prev | next [-]

1. Open a web browser and do a search

2. Read until you find a sentence that you like.

3. Use it as your password

raffraffraff 3 hours ago | parent | next [-]

How about mixing up band names? Take the end of "Florence and the machine" and mix it with the start of "Rage against the machine" and you now have the totally unguessable "Rage sharing the machine". It's a different machine see?! Nobody would know that!

NopIdoN 2 hours ago | parent [-]

The The but the first The is from The Who

ChrisRR 3 hours ago | parent | prev | next [-]

I like the last line of your comment

My password is now password

daredoes 2 hours ago | parent | next [-]

Should have been "use it as your password"

nickweb an hour ago | parent | prev | next [-]

That's cool. Yours comes up as stars (*). Must be a HN thing.

hnthrow10282910 3 hours ago | parent | prev [-]

Hacked

glitchc 3 hours ago | parent | prev [-]

Not enough numbers or special characters usually.

lukan 2 hours ago | parent | next [-]

Use one specific special character/number as word separator.

chopin 3 hours ago | parent | prev [-]

I loathe two things in password requirements: special characters and not allowing spaces. C'mon, it's 2026. Require 20 characters and call it a day.

Xeoncross 2 hours ago | parent [-]

"password is to long, max length..."

(╯°□°)╯︵ ┻━┻

Volundr 2 hours ago | parent [-]

I couldn't decide which sentence of Alice in Wonderland was my favorite, so I just used the full text.

3 hours ago | parent | prev | next [-]
[deleted]
samrus 3 hours ago | parent | prev | next [-]

I swear if the ghouls running things had abit more decency and allowed people to actually access and controll their passkeys then that would be the future, everyone would adopt it. The experience is so nice with key pair exchange for ssh. Its just that there i have thr security of knowing exactly where my secret is and how i can manage it, its just a file and i can move it like a file

Nobody wants the risk of getting locked out because of apple and googles walled garden bullshit

James_K 2 hours ago | parent | prev [-]

Letting users pick their own passwords has always been a mistake. If passwords are needed, the system should choose them.

NopIdoN 2 hours ago | parent | next [-]

just directly give them a post-it for their monitor

kg 2 hours ago | parent | prev [-]

As a person with memory issues, this is a recipe for me writing a password down where somebody else can probably find it.

ryandrake an hour ago | parent | next [-]

If your machine or service is connected to the Internet, 631U)VN0Onl? written on a post-it note is generally going to be better than hunter2 not written down.

fouc an hour ago | parent | prev [-]

but post-its are vulnerable to the wrench attack!