I’ve been at my job for just under a year and am on my 5th password now. I used to work for a place where the list of passwords you couldn’t use rotated, so I only had to have three slightly different ones. If I forgot what I was using I could try all three before it blocked me for a bit.
When putting in a new password I read all the fine print about what you could use and noticed something for the first time: the new password could not have already been used. I would love to be at this job until I retire but I need to have about 75 new passwords before then!
They say you’re not supposed to write them down anywhere but screw that. I’m updating them in my phone. Password usage sucks.
I just got locked out for 15 minutes. I tried the new password once and it made me receive an emailed code, and then it didn’t like the code and blocked me!
My job requires a password change every 90 days, and you can’t use one of the 99 passwords you used previously. However, I think most people simply use a password that contains a 2+ digit number that you just increment by 1 for each change.
Back when I was still employed, I used a word, a special character, plus numerical month and year, and I’d change it on the first of the month. It worked for me, except the one stupid requirement of no repeated characters, so November became 1! and it all worked out.
At home I just keep a password protected spreadsheet with my passwords. That way, I just need to remember one password.
It sounds highly suspicious that they would know what passwords were used previously. Even if the same password were used by every user, the random salt should make that not obvious to find out.
Mine requires it every 45 days. But since I’ve been working from home, it can’t be enforced because I have to be on the in-office network for it to work. Thus, I’ve had the same password since March.
I’m going to hate going back to work in the office …
I had an issue logging in to a different work site once and called for IT help. They washed all my previous passwords and I got to start at me default main one! I was only on my second one though. Maybe in a few years I can have that issue again and fall back to the first . . .
I got that, but using modern algorithms, in which the clear text password or equivalent is never sent to the server, it should be impossible for the server to find out either thing. Otherwise, if the server can see the password, it should be able to discover both.
With fixed per-user salt all they need to do is hash each PW & save the hashes. If the user chooses a new password whose salted hash matches any previous equally-salted hash, the new PW is rejected.
Sure, due to hash collisions that will occasionally reject a totally fresh password. But given any decent hash algorithm, hash length, and a realistic number of passwords needed per lifetime that issue is negligible. e.g. I need to change work PWs monthly. If I worked there 100 years that’s 1,200 hash-distinct PWs. Even a 64-bit hash output would statistically eliminate hash collisions as an issue for a company of a million employees.
The server is always going to have a list of all of your and the other users’ salts. For example, on a Linux system that uses passwords you can see them in the /etc/shadow file, and nothing is stopping the server from remembering old ones as well. So I think it’s clear – we are both saying this – if the password is ever sent to the server, for example when setting your password, it can hash it using all the stored salts and check for any duplicates.
To prevent this, some other authentication scheme must be used. In any case, if I somehow find out that your current password is TopSecret37, the fact that you are forced to change it after a month will not keep me from guessing TopSecret38. So maybe the frequent changes business is not suitable for highly secure systems and is a bit of security theater.
Not real sure whether this was directed at me and what you meant. I was reacting to your “highly suspicious” part. As you clearly know, bog standard authentication practice is to store only the hash of the current PW, not the raw text. And so the authentication step actually consists of (ignoring salt and data transmission issues for simplicity) “Does the client present a PW hash that matches the stored hash? Yes = access granted, no = access denied.”
I’m still not sure what you think is “highly suspicious” and what you think that suspicion implies.
Yes. Clearly. There is plenty of evidence (far beyond our OP’s lament) that
Almost every user does PWs wrong.
Mandated frequent changes and unique histories are counterproductive to actual security.
Mandated password character set complexity (“mandatory Martian poetry”) is counterproductive to actual security.
Conversely, increasing password length is the best / cheapest entropy on offer that’s even remotely compatible with human memory limitations.
Password managers are the least bad solution to this mess today. Albeit at the cost of creating a single high-impact point of failure.
Mea culpa, ignore “highly suspicious”. The suspicion is it’s security theater, as per your numbered points.
Not at all claiming this makes anything automatically secure, but there are some systems that to access I was asked to provide an ssh public key, not a password at all. I have also used those authenticator tokens, and servers that used Secure Remote Passwords.
I’m a sysadmin and have hundreds of unique passwords of the long and complex and change often format. We use the enterprise version of LastPass that can also generate passwords to meet the security requirements. I rarely need to type a password when using my secure workstation. I also use the consumer version for my home life. And MFA added to Lastpass, AWS, and every where I can find it.