Site password requirements

Kick back and discuss whatever takes your fancy.
Post Reply
Bottletopman
Posts: 23
Joined: Thu Jan 05, 2017 12:28 am

Site password requirements

Post by Bottletopman » Mon Sep 24, 2018 8:38 am

Is there any way that the password requirements can be more relaxed/outright removed? While it's unlikely that this site is holding data crucial to national security, NIST password guidelines discourage password complexity and periodic password change requirements since users often get around such things by making easy to guess passwords.

I remember at my last job as a contractor, user password policy was something like at least 1 capital letter, number and/or special character and while migrating people over from Win 7 to 10 I had to get their passwords to copy over their stuff - I lost count of how many people had ridiculously easy to guess passwords that one could obtain just by getting friendly with them and asking them questions about things like their kids and how old they were. It also wasn't uncommon for people to simply change the password by one number when passwords reached their ridiculously short 2 month expiration time.

But who cares about what went on at my last job, it's simply quite bothersome. While making this post I just realised that with some sites that enforce incredibly complex password requirements (I remember one particular banking site enforcing 8 characters on passwords, no more, no less) cracking such passwords would be easier given that the attacker would know that passwords would be of specific length and characters.

I guess I'm just ranting since bouncing around different worksites I have had to come up with all sorts of passwords given the silly complexity requirements. At least on this site, I can have a say about it and not get ignored by upper management or something.

Post Reply