I just got another "your password will expire in 8 days" notice from my district IT dept.
It's so frustrating that they continue to use such outdated security practices. NIST would like a word.
@voltronic You mean the one where they make people change passwords so often that people pick stupid ones or write them on sticky notes everywhere?
Oo! I bet the do the thing where they make up rules for passwords like what they can contain, and put them somewhere that anyone can find them, so that crackers can toss out non-possible passwords, too!
@AskTheDevil
It's funny you mention this, because there have been several times I can remember where students gained access to the grading system by finding a post-it note with a teacher's login info. Those teachers got raked over the coals, but really it's our IT dept that should be pointing the fingers at themselves, since their bad policies led to the situation.
At least they have a 120-day expiration now instead of 90.
@AskTheDevil
I floated the idea that they should be offering free hardware tokens to people that didn't want to use their personal devices for work 2FA. The idea was not well received.
At least you can use any 2FA app you want, despite them telling us only Duo or Google Authenticator would work.
@AskTheDevil
There's no way for us to use password managers because the same login info needs to be used to get on to any system and then used again for our SSO desktop apps. So the passwords need to be human-memorized.
They started enforcing 2FA apps for all logins last year which was good, but now makes the password expiry even more useless. Still not enthused that we have to use our personal devices for it. What if someone doesn't own a smartphone?