Need the opposite costume, the overly eager sys admin.
- wants to force password changes once a month for security
- constantly changing security policies to reflect the flavor of the month
- constantly sends out phishing emails tests, wonders why no one replies to any of his emails
My fucking uni is trying to move to passwordless, but you will always need a password to log onto any lab device, and to the wifi, so why?
Then they have you make it some 12 character length minimum string with mixed case and special characters and dictionary lookup so it isn’t some common phrase but you’re also logging in through a telnet instance onto a Unix system.
Sysadmin: “A clear indication of phishing email is the sense of urgency. We would never send out any email regarding urgent updates that needs immediate action.”
Also sysadmin: “URGENT!!! You must update your system now before Friday!!! Click link here for instructions! Otherwise you will be locked out!”
Spot on. We’re changing XYZ policy and we need everyone to do this training within the week. Wait, why’s no one opening my emails
Then do this to computer-shaped instrument controller systems that have accounts that can not have passwords changed or the application won’t run. Or service accounts, so if you pop in after 6 months, nobody knows the current password and the IT guy only comes in 2 hours/week. And that was yesterday. And no, no contact information present…
- Installs antivirus on servers that wrecks application performance
- installs content filtering proxy that prevents developers from reading “hacking materials” like OWASP documentation
- won’t let developers install anything on their own machines without filing a ticket and waiting 6 weeks
- pushes unannounced antivirus updates that pop up OS security dialogs like “Netscan Antivirus would like to monitor all network traffic. Enter your password to approve”, and is surprised when users don’t enter their passwords.
Your corporate IT guy
Sigh. Their hearts are in the right places…
They usually don’t have a choice. They know this stuff is bad, but they need it to demonstrate compliance with XYZ framework so they can fill out the marketing copy so sales can land a contract with some big customer that wants to know why $competitor has better security than you.
We might work at the same company lmao. My laptop is borderline unusable due to all the monitoring garbage despite having really fast hardware
Password expiration is no longer considered a best practice. FYI.
It was never best practices for anyone who had common sense.
It just forced people to make insecure, easy to remember passwords, cause they were gonna be changed in again soon so why make it complicated and hard to remember.
I know I do this. Add another exclamation mark.
Psh… That’s amateur, I just keep incrementing the number at the end ‘password1’, ‘password2’, etc. Gotta fool the password reuse counter!
Oh really? How come?
NIST removed password expiration from their recommendations in 2020. Instead they recommend only forcing password changes when compromise is suspected.
The main argument is that they do not make users or systems demonstrably safer and encourage bad password habits.
I would imagine most users change their password by only 1 character, and maybe even in sequential order.
When time comes to change the password, it becomes password1234 instead of password123. Or password234. Something easy to remember, most users don’t care about best security practices, and changing to a similar password is very convenient. Especially if it’s “only” for work stuff
The original idea was that you would take how long it took to brute-force a password, then require the password be changed before that. But we have better hashing now, like bcrypt, where you can tune it so that brute forcing anything would take 100s of years.
“What do you mean this password is too short? I use it for everything!”
On the other side of things, don’t you love systems that return “invalid password: password is not unique”?
I bet he also picks up USB sticks from the parking lot and plugs them into his work computer.
Clicks on everything or is too scared to click on anything and never learns how to use the software
wait untill you hear “if i remember correctly my email password was {name} {surname} something @ gmail.com… what do you mean that’s not it? why do i even need a password?”…
Searches for things online by typing it as a post on social media instead of using a search engine as in: “Google what is the weather like today near me?”
You must know my parents 😅
- argv_minus_one ( @argv_minus_one@beehaw.org ) English1•1 year ago
Need a bell curve meme here.
Low end: “Why would I change my passwords?” (Uses weak passwords, clicks on exciting, etc.)
Middle: “Change passwords every 12 seconds!” (Believes in frequent password rotation, weird rules for password complexity, etc.)
High end: “Why would I change my passwords?” (Uses a password manager correctly. Every password is 32+ characters long and unique.)