You do not talk about password club.
If this were a legitimate corporate requirement for a password, then I would do exactly what I (and many others with our company) did in the early 90’s when some power and security mad corporate cog tried to mandate similar rules.
Revolt.
Well, in the corporate, “explain why this is a bad idea” way.
Pointing out that NO ONE is going to remember their passwords from month to month. They’re going to resort to writing them down and trying to hide the sticky in their desk, which makes things LESS SECURE. That the person or persons responsible for resetting passwords is going to have a full time job doing nothing BUT changing passwords.
Then sit back and wait for the flood of non-tech-savvy Executives to bang their head against the rule until they see the light, at which point they can proclaim that due to this causing problems ‘company wide’, it needs to be rescinded.
Sadly, I don’t have that kind of clout here.
The password rules belong to DHS, and I don’t even work for DHS but I need access to their system, so I have to play by their encouragement of quadridigited adjectives and nouns.
On the plus side, I definitely have an FBI file now if I didn’t before. :rolleyes:
template:
fuck1this2shit3
password:
3tihs2siht1kcuf
Figured you were dealing with some bureaucratese. Everyone in my agency has a low-level security clearance and even we don’t have to deal with #3.
A relative works for NSA, and their passwords are much simpler than this, actually.
These rules are spectacularly stupid. Very few people will be able to cope without writing the passwords down.
They will decrease rather than increase security.
IT=teh5uxX0rs
There. Perfect 
What? “x” != “X”!!
I like the way that the samples showing what not to do, such as 22apples, 4588904, xyz123, qwerty and 98xyz123 all fail to conform to either one or both of rule 1 and rule 2 anyway.
Isn’t there some law which states that beyond a certain point of complexity security measures become less effective because people start to cheat the system due to the hassle involved?
My favorite is when password policies prohibit non-alphanumeric characters, and/or are limited to a maximum of eight characters. It makes absolutely no sense to do either of those, yet they’re startlingly common.
ETA: Too late.
Violates rule number 9.
Some older systems aren’t programmed to handle non alpha passwords and are usually limited to 6 or 8 characters. So the issue there is probably accessing a very old system (even if it does have a snazzy new paint job)
I was going to come in and say this – while I don’t know for sure (:)), my experience is that this sort of password is used by companies who can afford to hire an expensive IT person but not necessarily a good one. Someone who knows security but has no touch with the human side. I’m willing to bet that their requirements included a masters in computer or information sciences. They got an answer that was technically correct and logically fail.
And if it does, there’s always “IT=teh5u><X0rs”
What’s sad is how unnecessary it is. Any sufficiently long & unpredictable password should work.
If my password were <Steve_Kilbey>, someone who knew my musical tastes might guess it, but it wouldn’t be easily brute-force cracked.
OTOH, make it <etienneKilby>, long and obscure.
Of course, I could mash that into <etienK!lb3> easily enough. And next month’s could be <MR3Wil1sn-|r>
Crap. <etienK!lb3> has "tie in it. Better do <eti3nK!lby> !||$+3@c|.
You forgot to mention that the idle time-out settings shall be set at 5 minutes, after which you are logged out and have to sign back in through 3 separate security screens.
So if the phone rings or a coworker talks to you while you are on the system you get kicked out and have to start over again.
Oh, and another great idea where I work is to increase security by limiting access to computers, so there is one computer for 5 people to use, and each of those 5 people must log on to report their activities. If the person who is currently logged on steps out of the room the computer locks up and only they can unlock it. Leaving the only option of re-booting the computer to regain access.
This can and does result in shifts where I spent more time attempting to report my activities than I do actually performing the actions, or it seems that way.
You can’t just move your mouse or tap the space bar to prevent that?