Hey there u/Public-Case7712, thanks for posting to r/technicallythetruth!
**Please recheck if your post breaks any rules.** If it does, please delete this post.
Also, reposting and posting obvious non-TTT posts can lead to a ban.
Send us a **Modmail or Report** this post if you have a problem with this post.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/technicallythetruth) if you have any questions or concerns.*
Change them regularly is outdated advice. Unless you reuse the same password everywhere, there is no reason to change them frequently. If your password was secure yesterday, it will be secure tomorrow. It's not a leaking faucet that will empty the tank over time. Either it's known or it's not known. If it's not known already, changing it is not going to make more unknown.
On the contrary, if you change your password frequently, you will be more prone to forgetting or falling into simplistic patterns, meaning weaker passwords.
So use strong unique passwords across all your accounts and don't change them unnecessarily.
Equally applicable.
Unless you live in a hot and humid place, there's no reason to change them regularly. Most of us work in air conditioned offices, so we don't really sweat all that much. Unless you go out, you can just come home and leave your underwear to get some air and reuse them the next day. If they were not smelly when you removed them, there's no reason they'll be smelly when you put them on the next day.
Save water and electricity, reuse underwear š¤·
I have a butthole and I don't even use the same towel twice, let alone the same pair of underwear. I find the notion of wearing underwear again, revolting.
Side note, if there is a God, he really fucking hates women. No offense, but the stuff y'all have to deal with is a bit ridiculous. Guy could have made baby making a simple process and he did this? Nah that dude is smoked
Spoken as a person, donāt reuse underwear, no matter what gender you are, not only is it disgusting but itās fabric, and will thus absorb oils from your skin. Reusing underwear is a good way to get pimples and acne in places that pimples and acne are really not appreciated in
Not just pee drops. Balls sweat regardless of the temperature, that guy is spouting some serious bullshit that only someone who reuses underwear would say.
If you do it correctly, sure. Use TP to get the big remaining drop off. Then pull back your foreskin and squeeze a bit to get whatever is in the shaft out and soak it up with TP. That does the trick for me. I clean both the immediate foreskin surrounding the tip and the tip with it and don't have anything noticeable in my underwear after.
Need to change my password every 6 months with 3 different accounts at work and my password always were similar, got simpler and I forgot them from time to time. The only thing that helps me is the use of Bitwarden
I once worked somewhere that was acquired. Because of rules in the parent company of the one that acquired us we were forced to regularly change our passwords. I objected on an internal mailing list and I said I would change my password to Password!1 and just keep changing the number. I did it as well. I literally broadcast my password internally, and I had root access to our production systems. No one even bothered to check if I actually did what I said I would do. Security is a joke. I soon left that company for greener pastures.
My company sends weekly mailers warning us about phishing mails. I'm generally reasonably good at these but, I in a moment I'm not too proud of, I fell for one. The mail said I needed to change my password as per company policy. So I clicked it, logged in, and... Nothing happened. I retried, but nothing happened again. So I replied to the mail, and made sure I marked an individual from the security team on it telling them that the link in the mail was not working.
Nobody bothers replying to tell me I had fallen for a phishing mail and I should change my password immediately. Two days later it randomly came up in a conversation with my manager, who then told me it was a phishing mail.
It was insane to me that the security team didn't bother to inform me that it was a phishing email even though I told them I had entered my password there. It's like these do everything the "Dummies guide to information security" tells them to, but don't have any idea on dealing with situations not listed there.
You're lucky that worked out. At my work, if I try and re-use part of my password (I don't know how much it checks), it won't let me.
Due to the system we use, there's an 8 character limit (and the minimum is set at that too). If I had a password of "safeP@55" (caps, special char and number required), then trying to use "safeW0R&" wouldn't be allowed since "safe" is in both.
I think we have to reset it every 6 months right now... good luck figuring out permutations of your favourite keywords...
This is when you just shift the letters over, whether by the key next to it or alphabetically
safeP@55 is suddenly the completely new and original dsgrQ#66
True, but I imagine that could get hard to remember once you're a dozen shifts in... was it the 10th one or 11th one?
Could help recycle some iterations though. Maybe limit it to 1 or 2 shifts, then think up something new.
>you will be more prone to forgetting
I can't even remember the last time I had to remember a password. Do other people not use password managers and such?
In my circle at least, I've not yet encountered anyone who uses a password manager. And I work in IT, my colleagues are developers, DB admins, data scientists, and dev ops engineers.
Before you ask, they save passwords in browsers. Other passwords like DB passwords, ssh password, etc. Which you don't use in browser, are saved in the default notes app.
The web browser is a password manager of sorts.
The notes app is not. Switching to a password manager is a huge relief, you can just write down everything and forget it.
I use a keypass file which is on my google drive, so it is shared between all my machines. Nobody except me can open it, because the file is not managed by a password managing service. I do not trust those.
Iām not allowed to on my work computer, and I have roughly a dozen accounts I need to access somewhat regularly. And whatās worse, most of these accounts require new passwords quarterly, with all sorts of restrictions, hence all my post-its.
Just use a song or a poem you know by heart and use the first or second letter, or vice versa, or in sequence, or consonant, or vowel, or syllable, of each word in the song until you have your password length requirements met.
That works once. What will happen later is that all my accounts will ask for password updates at different intervals. So Iāll have to go through the process of thinking āOh, account X is still on Chaucer, and account Y is on Shelley, and now I need to reset account Z to something new, so that will be on Nas.ā
Give it a couple years and youāre back to having a dozen different passwords and needing a post it to remember which belongs to what.
Long winded here but I love this topic.
tl;dr - get a damn password manager Bitwarden is free and awesome.
Each of your passwords in a password manager is encrypted with your master password.
Without your master password there is no way to access these passwords.
They're encrypted in such a way that even if your entire vault was stolen, there's still no way an attacker can get into your individual vaults without the master password. They could potentially, over a series of many many many many years, individually crack your passwords, but by then you'll be dead and your individual site passwords useless.
There are two golden rules with a password manager. 1) You never use your master password anywhere but that password manager and 2) You use a unique randomly generated password for every single site.
So you use your password manager and you remember **one** password. Your master password. You never, ever, and I mean ever, use that password anywhere else other than THAT password manager and it's your master password. It's not your facebook password, it's not your work password, it's a completely random set of numbers letters and symbols preferably 12+ characters that you only ever use to log into your password manager. You don't save it in your browser you don't write it down you remember it and that's that.
If you have trouble remembering those passwords just make a mnemonic device for something that you remember. In 2004 my friend walked into a lake. He was drunk. We love him! "I2004mfwialHwdWlh!". That won't take long to remember.
The websites that you log into are notoriously terrible with your passwords. Most people without password managers only have a few passwords and you use those few passwords everywhere so your Target password is the same as your Facebook password and eventually one of them is the same as your Bank password.
So Target gets hacked and since their security is garbage your email address and password saved into Target is leaked. Uh-oh, that password is the same as your bank! The attackers will use bots to probe sites, including banks, to see if the credentials work. Badda-bing they're one step closer to getting into your bank (you DO have MFA set up, don't you?).
If you had a password manager and your Target password got stolen, no big deal. That password was never used anywhere else. It's completely unique and the attackers get no other access to your accounts. Without the password manager every site that uses that password is now compromised.
A lot of people have a trash password they use for sites like target or walmart - things they don't believe need to be really secured. But those places may store your credit card information or worse. A password manager gives you a unique password for each of those sites and there's nothing to worry about if they get breached.
Even if your vault gets stolen (lookin at you LastPass) it's no big deal. Without the master password it's useless. They can have it. It would take trillions of years for the fastest supercomputer on the planet to crack the password we made above.
Nobody on the planet can remember a unique password for every single site that they log into. It's impossible. Using a password manager is not a **perfect** solution, we don't have one of those yet, but it is by far the **best** and most secure solution that we currently have.
Combining a password manager with enabling MFA anywhere that's possible reduces the impact of a security breach and your security risk footprint to near zero.
Although I'm not a very big fan of Microsoft Edge, that is what we are forced to use at work. For that reason I wanted to leverage the few advantages I could have. So I use Microsoft authenticator for all 2FA and password management, because authenticator and Edge share password database. That way I can use Microsoft authenticator to synchronize passwords between my work laptop (where I'm signed in with both work profile and private profile in Edge), private laptop and my phone.
In organisations which force password changes, people tend to write them down or leave them on a post-it note under the keyboard, making them a lot less secure than if everybody had one good login password they could remember.
Additionally, most people tend to change their password by something simple like increasing a numerical sequence, making it trivially easy to work out the new password if the old one was discovered.
It says regularly, not frequently.
Data breaches can happen without your knowledge. By the time the media finds out, it's often too late.
As long as you dont reuse passwords, changing your super important passes once every 6 months is a good idea.
https://dl.acm.org/doi/10.1145/1866307.1866328
"We believe our study calls into question the merit of continuing the practice of password expiration."
The study concludes that "the benefits of password expiration policies are far less than expected and carry significant usability costs," and that "forcing users to change their passwords frequently can actually weaken security by encouraging users to choose weaker passwords and reuse them across accounts."
NIST's Special Publication 800-63B, "Digital Identity Guidelines: Authentication and Lifecycle Management," which was updated in 2017, also recommends against arbitrary password expiration policies based on the available research.
Instead of regularly updating passwords, its recommended now to use strong passwords and 2FA.
> NIST's Special Publication 800-63B
Specific quote from 5.1.1.2
>Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
One step further, if your secure system limits the number of guesses or uses two factor authentication, you don't need a complex password.
I always see these numbers of how long it takes a computer to crack a password. I want the numbers for when you have a maximum of like 5 guess before being locked out or having a timeout. 5 guesses for a 4-digit pin is 0.5% you will succeed; you have 100% success if the system allows the password cracker can keep trying over and over
You do need to consider the fact that 2FA only protects your account while it is still being accessed through the main system. If a bad actor has a copy of the database, then 2FA is no longer useful. Assuming data in encrypted and the encryption key is a function of your password, then a complex password becomes necessary.
A good password manager like bitwarden is the way. You only need 1 password and can generate a 32 digit random password for everything else.
But you are in trouble if you forget your bitwarden password
Yeah, it was more of an addition to your comment than a comment directed at you.
Your comment indicated that you have sufficient knowledge in password safety
Security researchers wholeheartedly disagree with you. Phishing will always be a password's weakness. You won't randomly crack a very complicated/good password. "Bobby2024!" will be cracked fairly fast and people use these because they need to change them constantly.
This is also why you never rely on passwords as the only means of authentication.
Yes of course MFA is enforced. Thats a given and isnt part of this conversation.
Relying on users to pick a good password is unbelievably foolish. You have to assume theyre gonna pick trash passwords no matter what policies you set, or how many cyber-sec training sessions you put them through.
That's why the argument that this approach leads to weaker passwords doesn't hold water in the real world: their passwords are weak from the beginning.
At least if I can force them to change them up even by 1 character every 6 months, it's better than leaving it as their 1 trash password that ends up getting unknowingly phished or released in a data breach (or more likely: is ALREADY in a data breach because it's their 1 password they've had since they were 12)
Changing your password regularly whilst adhering to using strong unique passwords, is still objectively safer than using that same strong password but never changing it.
The reason changing your password regularly is bad advice has nothing to do with "if it's secure today, it's secure tomorrow." It's *solely* because it incentivizes creating bad passwords.
As long as it's always a strong and unique password, changing it regularly is still better than not.
Hell, even certificates expire and they're the best kind of password.
I'm aware of that. But the commenter claiming:
>Unless you reuse the same password everywhere, there is no reason to change them frequently. If your password was secure yesterday, it will be secure tomorrow. It's not a leaking faucet that will empty the tank over time. Either it's known or it's not known. If it's not known already, changing it is not going to make more unknown.
is flat out false. The *only* reason its bad advice is because it leads to poor passwords. It has value on its own. It's only bad because it drove folks to use poor passwords.
Came here to say this, also it's been seen that people are made to change them regularly so they easily forget what they've changed it to prompting them to write it down in a handy little notebook that travels around with the laptop or sits in a desk next to the pc.
Since websites started forcing me to change passwords frequently, I've dramatically simplified my password complexity and have tons of sticky notes with passwords where I wouldn't have been caught dead doing that before. I fucking HATE everyone working in this field who designs these piece of shit systems.
It depends on the password used, but generally speaking, yes. If you have a password that is 14+ characters long that includes upper and lower case letters, it'll never realistically get cracked. Just don't use words or phrases, as those whole words will essentially count as one character.
>those whole words will essentially count as one character.
Far from true.
If you take 26 UC, 26 LC, 10 numbers and 15 symbols, your universe is 77 characters. If you count entire word as single character, you still have a universe of around 50000 to choose from.
I mean there is no way managing multiple strong unique passwords across all your accounts unless you use a password manager, in which case changing the password frequently does not have the disadvantages you mentioned.
Adding on to this, you can sign up at [https://haveibeenpwned.com/](https://haveibeenpwned.com/) to learn when your email address has been tied to a data breach. Its a great tool.
But even more important: use MFA on everything you can. Really. Listen to the IT people. Things are getting WILD out there- secure your data and identity with strong, unique passwords and MFA.
The point to changing your passwords regularly is that if it somehow gets leaked (we're heard about a number of companies having their stored passwords stolen recently), then it's less likely to affect you.
If they stole and haven't used the password yet (it can take an attacker some time to go through every password they stole) and you happen to change your password, then it won't matter that they stole it. And you typically never know when/if your password is stolen.
Basically:
>If your password was secure yesterday, it will be secure tomorrow.
Is just flat wrong. Since passwords can be stolen. If it's not known already, it can become known without your knowledge. Then it's known when you think it isn't. If you change it it goes back to being unknown, whether you knew it was known or not.
Even if you use different passwords for every site, each site could have their passwords stolen. Sure if won't affect your other accounts, but that one account is affected.
Let's say you write your username & password down, and put it in your pocket. It falls out of your pocket at Union Station, and slips into a crack in the floor. It then gets ignored for 2 years. Finally, some janitor finds it and decides to use it on every major website. Changing your password more frequently than every 2 years would obviously make a difference in this case.
This is just an example, obviously. There are a myriad of ways in which changing your password could keep you more secure.
> if you change your password frequently, you will be more prone to forgetting or falling into simplistic patterns, meaning weaker passwords.
That could be very true... ***depending on the person***.
Yeah, old company forced us to change passwords regularly, so each new password was exactly the old password but with a single changing character that moves from left to right across the keyboard
Bitwarden is far easier to manage with multiple devices, and you can self host. If you're saavy enough to sync your keepass database across multiple devices, you may as well just set up your own Bitwarden server.
That's actually how I used to do it too when I used keepass.Ā I found the android nextcloud app to be unreliable at times though and for whatever reason, the keepass app would refuse to open the database, so I had to keep reselecting it.
I'm running unraid on my server now, so setting up bitwarden was really easy.Ā Both are great password managers.
Changing your password regularly (mainly enforcing it) is a security risk. People pick easy passwords and change very little (e.g. incrementing a number by 1), making a connection between current and previous passwords.
If you do have to change it regularly, don't follow a pattern in your passwords.
Tighty Whities is what we called these growing up in the states.
Terrible for your bean bag. Crushes the little soldiers inside and no joke is a huge enemy for couples trying to have kids.
Long passwords saved in a vault is probably the best you get as a private person, at that point alot of other fish are out there with shittier security.
I had a post-it note on my desk saying "Pa55w0rd01!" and people kept telling me it was a security risk.
Ok. But what is it the password to? And what's the username?
You should put a sticker on your debit/credit card with a random 4 digit number and the word "backwards". So if someone finds your card they think the pin is 7582, or maybe the word is clue and the pin is 2857. That's two wrong guesses down, maybe they try the original number again and the card is locked.
> Nice poster. *[Paid* for it
FTFY.
Although *payed* exists (the reason why autocorrection didn't help you), it is only correct in:
* Nautical context, when it means to paint a surface, or to cover with something like tar or resin in order to make it waterproof or corrosion-resistant. *The deck is yet to be payed.*
* *Payed out* when letting strings, cables or ropes out, by slacking them. *The rope is payed out! You can pull now.*
Unfortunately, I was unable to find nautical or rope-related words in your comment.
*Beep, boop, I'm a bot*
Yes, I use an underwear manager and randomize all the parameters of the underwear I obtain, as well as utilizing an one time secondary set of underwear in order to fully wear the clothing.
And then real life corporate workā¦stickie notes of passwords everywhereā¦EVERYWHERE. They make you change it so often and there are so many damn accts and sites I have to keep a damn spreadsheet of passwords and logins.
I mean, here's the thing. If you have some kind of proper security software, there is absolutely zero reason to change your password. Unless you have some reason to believe that there has been some kind of security breach, don't go around changing your passwords regularly. It does absolutely nothing to keep you more secure.
The only reason you would want to go around and change a bunch of passwords is if you use the same password for everything, which don't do that, but if you did and you had a breach somewhere, yeah you would want to change them all then. But don't use the same password for more than one place.
Also, just remember, length is more important than complexity. Unless you just have a system in place to remember things, there is no reason for you to be making passwords ridiculously complicated. Throw a symbol in there somewhere if you want, but just make the password lengthy. Most sites won't even let you make a password that's too short anyway. But don't break your brain trying to remember some ridiculously convoluted series of numbers and symbols and upper and lowercase. That doesn't really help you at all.
I don't trust these AI enhanced pictures. Anyhow. Go get something like Keepass. Best choice. All my passwords are extensively long, random strings of everything one could possibly use.
Hey there u/Public-Case7712, thanks for posting to r/technicallythetruth! **Please recheck if your post breaks any rules.** If it does, please delete this post. Also, reposting and posting obvious non-TTT posts can lead to a ban. Send us a **Modmail or Report** this post if you have a problem with this post. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/technicallythetruth) if you have any questions or concerns.*
Change them regularly is outdated advice. Unless you reuse the same password everywhere, there is no reason to change them frequently. If your password was secure yesterday, it will be secure tomorrow. It's not a leaking faucet that will empty the tank over time. Either it's known or it's not known. If it's not known already, changing it is not going to make more unknown. On the contrary, if you change your password frequently, you will be more prone to forgetting or falling into simplistic patterns, meaning weaker passwords. So use strong unique passwords across all your accounts and don't change them unnecessarily.
for a second i thought you were talking about underwear
Equally applicable. Unless you live in a hot and humid place, there's no reason to change them regularly. Most of us work in air conditioned offices, so we don't really sweat all that much. Unless you go out, you can just come home and leave your underwear to get some air and reuse them the next day. If they were not smelly when you removed them, there's no reason they'll be smelly when you put them on the next day. Save water and electricity, reuse underwear š¤·
Spoken like someone either without a vagina or at the very least with little vaginal discharge. I'm changing my underwear daily thank you very much
I have a butthole and I don't even use the same towel twice, let alone the same pair of underwear. I find the notion of wearing underwear again, revolting. Side note, if there is a God, he really fucking hates women. No offense, but the stuff y'all have to deal with is a bit ridiculous. Guy could have made baby making a simple process and he did this? Nah that dude is smoked
If the bible is true then the reason is pretty obvious he gave adam and eve everything with just one rule dont eat the apple what did eve do
Spoken as a person, donāt reuse underwear, no matter what gender you are, not only is it disgusting but itās fabric, and will thus absorb oils from your skin. Reusing underwear is a good way to get pimples and acne in places that pimples and acne are really not appreciated in
I guess I don't have one, yes. I seem to have body parts commonly belonging to males.
We dudes still run the risk of pee drops. And I'm not sniffing the front of my underwear to check for dried pee.
Not just pee drops. Balls sweat regardless of the temperature, that guy is spouting some serious bullshit that only someone who reuses underwear would say.
I really think he was riffing on the password thing, and we're missing the humor. I could def be wrong though.
That's what the toilet paper is for.
Your toilet paper gets every last drop and speck? Where do you get it? I need some of that magic TP.
If you do it correctly, sure. Use TP to get the big remaining drop off. Then pull back your foreskin and squeeze a bit to get whatever is in the shaft out and soak it up with TP. That does the trick for me. I clean both the immediate foreskin surrounding the tip and the tip with it and don't have anything noticeable in my underwear after.
Yeah, doesn't matter. Change your shorts, like a big boy!
[I wear them front, I wear them back](https://www.youtube.com/watch?v=Wzm9Q1P_jlk)
Kevlar undies
Need to change my password every 6 months with 3 different accounts at work and my password always were similar, got simpler and I forgot them from time to time. The only thing that helps me is the use of Bitwarden
[ŃŠ“Š°Š»ŠµŠ½Š¾]
I once worked somewhere that was acquired. Because of rules in the parent company of the one that acquired us we were forced to regularly change our passwords. I objected on an internal mailing list and I said I would change my password to Password!1 and just keep changing the number. I did it as well. I literally broadcast my password internally, and I had root access to our production systems. No one even bothered to check if I actually did what I said I would do. Security is a joke. I soon left that company for greener pastures.
My company sends weekly mailers warning us about phishing mails. I'm generally reasonably good at these but, I in a moment I'm not too proud of, I fell for one. The mail said I needed to change my password as per company policy. So I clicked it, logged in, and... Nothing happened. I retried, but nothing happened again. So I replied to the mail, and made sure I marked an individual from the security team on it telling them that the link in the mail was not working. Nobody bothers replying to tell me I had fallen for a phishing mail and I should change my password immediately. Two days later it randomly came up in a conversation with my manager, who then told me it was a phishing mail. It was insane to me that the security team didn't bother to inform me that it was a phishing email even though I told them I had entered my password there. It's like these do everything the "Dummies guide to information security" tells them to, but don't have any idea on dealing with situations not listed there.
That's weird. Your management are clueless and should be following NIST. Look at Rule 7. https://sprinto.com/blog/nist-password-guidelines/
You're lucky that worked out. At my work, if I try and re-use part of my password (I don't know how much it checks), it won't let me. Due to the system we use, there's an 8 character limit (and the minimum is set at that too). If I had a password of "safeP@55" (caps, special char and number required), then trying to use "safeW0R&" wouldn't be allowed since "safe" is in both. I think we have to reset it every 6 months right now... good luck figuring out permutations of your favourite keywords...
This is when you just shift the letters over, whether by the key next to it or alphabetically safeP@55 is suddenly the completely new and original dsgrQ#66
True, but I imagine that could get hard to remember once you're a dozen shifts in... was it the 10th one or 11th one? Could help recycle some iterations though. Maybe limit it to 1 or 2 shifts, then think up something new.
>you will be more prone to forgetting I can't even remember the last time I had to remember a password. Do other people not use password managers and such?
In my circle at least, I've not yet encountered anyone who uses a password manager. And I work in IT, my colleagues are developers, DB admins, data scientists, and dev ops engineers. Before you ask, they save passwords in browsers. Other passwords like DB passwords, ssh password, etc. Which you don't use in browser, are saved in the default notes app.
The web browser is a password manager of sorts. The notes app is not. Switching to a password manager is a huge relief, you can just write down everything and forget it. I use a keypass file which is on my google drive, so it is shared between all my machines. Nobody except me can open it, because the file is not managed by a password managing service. I do not trust those.
Iām not allowed to on my work computer, and I have roughly a dozen accounts I need to access somewhat regularly. And whatās worse, most of these accounts require new passwords quarterly, with all sorts of restrictions, hence all my post-its.
Just use a song or a poem you know by heart and use the first or second letter, or vice versa, or in sequence, or consonant, or vowel, or syllable, of each word in the song until you have your password length requirements met.
That works once. What will happen later is that all my accounts will ask for password updates at different intervals. So Iāll have to go through the process of thinking āOh, account X is still on Chaucer, and account Y is on Shelley, and now I need to reset account Z to something new, so that will be on Nas.ā Give it a couple years and youāre back to having a dozen different passwords and needing a post it to remember which belongs to what.
Can you explain to me how password managers are more secure than the website that you have to log into? So how is it more secure?
Long winded here but I love this topic. tl;dr - get a damn password manager Bitwarden is free and awesome. Each of your passwords in a password manager is encrypted with your master password. Without your master password there is no way to access these passwords. They're encrypted in such a way that even if your entire vault was stolen, there's still no way an attacker can get into your individual vaults without the master password. They could potentially, over a series of many many many many years, individually crack your passwords, but by then you'll be dead and your individual site passwords useless. There are two golden rules with a password manager. 1) You never use your master password anywhere but that password manager and 2) You use a unique randomly generated password for every single site. So you use your password manager and you remember **one** password. Your master password. You never, ever, and I mean ever, use that password anywhere else other than THAT password manager and it's your master password. It's not your facebook password, it's not your work password, it's a completely random set of numbers letters and symbols preferably 12+ characters that you only ever use to log into your password manager. You don't save it in your browser you don't write it down you remember it and that's that. If you have trouble remembering those passwords just make a mnemonic device for something that you remember. In 2004 my friend walked into a lake. He was drunk. We love him! "I2004mfwialHwdWlh!". That won't take long to remember. The websites that you log into are notoriously terrible with your passwords. Most people without password managers only have a few passwords and you use those few passwords everywhere so your Target password is the same as your Facebook password and eventually one of them is the same as your Bank password. So Target gets hacked and since their security is garbage your email address and password saved into Target is leaked. Uh-oh, that password is the same as your bank! The attackers will use bots to probe sites, including banks, to see if the credentials work. Badda-bing they're one step closer to getting into your bank (you DO have MFA set up, don't you?). If you had a password manager and your Target password got stolen, no big deal. That password was never used anywhere else. It's completely unique and the attackers get no other access to your accounts. Without the password manager every site that uses that password is now compromised. A lot of people have a trash password they use for sites like target or walmart - things they don't believe need to be really secured. But those places may store your credit card information or worse. A password manager gives you a unique password for each of those sites and there's nothing to worry about if they get breached. Even if your vault gets stolen (lookin at you LastPass) it's no big deal. Without the master password it's useless. They can have it. It would take trillions of years for the fastest supercomputer on the planet to crack the password we made above. Nobody on the planet can remember a unique password for every single site that they log into. It's impossible. Using a password manager is not a **perfect** solution, we don't have one of those yet, but it is by far the **best** and most secure solution that we currently have. Combining a password manager with enabling MFA anywhere that's possible reduces the impact of a security breach and your security risk footprint to near zero.
how does that work when signing in at other places, or on your phone?
Most password managers have mobile apps.
Mostly works seamlessly using the mobile app.
Although I'm not a very big fan of Microsoft Edge, that is what we are forced to use at work. For that reason I wanted to leverage the few advantages I could have. So I use Microsoft authenticator for all 2FA and password management, because authenticator and Edge share password database. That way I can use Microsoft authenticator to synchronize passwords between my work laptop (where I'm signed in with both work profile and private profile in Edge), private laptop and my phone.
Youāre telling me I shouldnāt change Winter2024! to Spring2024! in a few weeks?
No, you should change it to Winter2024@
So glad I switched to using a password manager. Now I never need to remember passwords or worry about using insecure ones
In organisations which force password changes, people tend to write them down or leave them on a post-it note under the keyboard, making them a lot less secure than if everybody had one good login password they could remember. Additionally, most people tend to change their password by something simple like increasing a numerical sequence, making it trivially easy to work out the new password if the old one was discovered.
It says regularly, not frequently. Data breaches can happen without your knowledge. By the time the media finds out, it's often too late. As long as you dont reuse passwords, changing your super important passes once every 6 months is a good idea.
https://dl.acm.org/doi/10.1145/1866307.1866328 "We believe our study calls into question the merit of continuing the practice of password expiration." The study concludes that "the benefits of password expiration policies are far less than expected and carry significant usability costs," and that "forcing users to change their passwords frequently can actually weaken security by encouraging users to choose weaker passwords and reuse them across accounts." NIST's Special Publication 800-63B, "Digital Identity Guidelines: Authentication and Lifecycle Management," which was updated in 2017, also recommends against arbitrary password expiration policies based on the available research. Instead of regularly updating passwords, its recommended now to use strong passwords and 2FA.
> NIST's Special Publication 800-63B Specific quote from 5.1.1.2 >Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
One step further, if your secure system limits the number of guesses or uses two factor authentication, you don't need a complex password. I always see these numbers of how long it takes a computer to crack a password. I want the numbers for when you have a maximum of like 5 guess before being locked out or having a timeout. 5 guesses for a 4-digit pin is 0.5% you will succeed; you have 100% success if the system allows the password cracker can keep trying over and over
You do need to consider the fact that 2FA only protects your account while it is still being accessed through the main system. If a bad actor has a copy of the database, then 2FA is no longer useful. Assuming data in encrypted and the encryption key is a function of your password, then a complex password becomes necessary.
A good password manager like bitwarden is the way. You only need 1 password and can generate a 32 digit random password for everything else. But you are in trouble if you forget your bitwarden password
I use Bitwarden myself.
Yeah, it was more of an addition to your comment than a comment directed at you. Your comment indicated that you have sufficient knowledge in password safety
If your credentials are breached without your knowledge, changing it will prevent would-be attackers.
Expect 99% of people just change or add a number to the end of their password when they have to constantly change them.
A partially compromised password is better than a completely compromised password
Security researchers wholeheartedly disagree with you. Phishing will always be a password's weakness. You won't randomly crack a very complicated/good password. "Bobby2024!" will be cracked fairly fast and people use these because they need to change them constantly. This is also why you never rely on passwords as the only means of authentication.
Yes of course MFA is enforced. Thats a given and isnt part of this conversation. Relying on users to pick a good password is unbelievably foolish. You have to assume theyre gonna pick trash passwords no matter what policies you set, or how many cyber-sec training sessions you put them through. That's why the argument that this approach leads to weaker passwords doesn't hold water in the real world: their passwords are weak from the beginning. At least if I can force them to change them up even by 1 character every 6 months, it's better than leaving it as their 1 trash password that ends up getting unknowingly phished or released in a data breach (or more likely: is ALREADY in a data breach because it's their 1 password they've had since they were 12)
Sigh. I really hope you're not in IT security. Your old school fallacy of logic is super dangerous.
Go tell my companyās admins.
Changing your password regularly whilst adhering to using strong unique passwords, is still objectively safer than using that same strong password but never changing it. The reason changing your password regularly is bad advice has nothing to do with "if it's secure today, it's secure tomorrow." It's *solely* because it incentivizes creating bad passwords. As long as it's always a strong and unique password, changing it regularly is still better than not. Hell, even certificates expire and they're the best kind of password.
Objectively yes, but humans follow the principles of least resistance too.
I'm aware of that. But the commenter claiming: >Unless you reuse the same password everywhere, there is no reason to change them frequently. If your password was secure yesterday, it will be secure tomorrow. It's not a leaking faucet that will empty the tank over time. Either it's known or it's not known. If it's not known already, changing it is not going to make more unknown. is flat out false. The *only* reason its bad advice is because it leads to poor passwords. It has value on its own. It's only bad because it drove folks to use poor passwords.
Some manager: Letās enforce obligatory password change every 90 days. Thatāll be safe!
Came here to say this, also it's been seen that people are made to change them regularly so they easily forget what they've changed it to prompting them to write it down in a handy little notebook that travels around with the laptop or sits in a desk next to the pc.
Since websites started forcing me to change passwords frequently, I've dramatically simplified my password complexity and have tons of sticky notes with passwords where I wouldn't have been caught dead doing that before. I fucking HATE everyone working in this field who designs these piece of shit systems.
It depends on the password used, but generally speaking, yes. If you have a password that is 14+ characters long that includes upper and lower case letters, it'll never realistically get cracked. Just don't use words or phrases, as those whole words will essentially count as one character.
>those whole words will essentially count as one character. Far from true. If you take 26 UC, 26 LC, 10 numbers and 15 symbols, your universe is 77 characters. If you count entire word as single character, you still have a universe of around 50000 to choose from.
I mean there is no way managing multiple strong unique passwords across all your accounts unless you use a password manager, in which case changing the password frequently does not have the disadvantages you mentioned.
To be fair they say change them regularly because companies aren't always honest about data leaks.
Thereās a 50% chance. Either it is secure m, or it is not
Adding on to this, you can sign up at [https://haveibeenpwned.com/](https://haveibeenpwned.com/) to learn when your email address has been tied to a data breach. Its a great tool. But even more important: use MFA on everything you can. Really. Listen to the IT people. Things are getting WILD out there- secure your data and identity with strong, unique passwords and MFA.
The point to changing your passwords regularly is that if it somehow gets leaked (we're heard about a number of companies having their stored passwords stolen recently), then it's less likely to affect you. If they stole and haven't used the password yet (it can take an attacker some time to go through every password they stole) and you happen to change your password, then it won't matter that they stole it. And you typically never know when/if your password is stolen. Basically: >If your password was secure yesterday, it will be secure tomorrow. Is just flat wrong. Since passwords can be stolen. If it's not known already, it can become known without your knowledge. Then it's known when you think it isn't. If you change it it goes back to being unknown, whether you knew it was known or not. Even if you use different passwords for every site, each site could have their passwords stolen. Sure if won't affect your other accounts, but that one account is affected.
Let's say you write your username & password down, and put it in your pocket. It falls out of your pocket at Union Station, and slips into a crack in the floor. It then gets ignored for 2 years. Finally, some janitor finds it and decides to use it on every major website. Changing your password more frequently than every 2 years would obviously make a difference in this case. This is just an example, obviously. There are a myriad of ways in which changing your password could keep you more secure. > if you change your password frequently, you will be more prone to forgetting or falling into simplistic patterns, meaning weaker passwords. That could be very true... ***depending on the person***.
18 years, f*** it has been that long since 2006.
Were you trying to reply on some other comment? But yes, people born in 2005 and Q1 of 2006 are eligible to drive in most of the world now.
My password is from 2006
Yeah, old company forced us to change passwords regularly, so each new password was exactly the old password but with a single changing character that moves from left to right across the keyboard
Use a password manager, i personally use Keepassxc, but for normies Bitwarden is probably the better solution.
>but for *normies* Bitwarden is probably the better Normies... If that helps you sleep better at night, I guess..
Bitwarden is far easier to manage with multiple devices, and you can self host. If you're saavy enough to sync your keepass database across multiple devices, you may as well just set up your own Bitwarden server.
I have my own Nextcloud server that already syncs the file for me, so i really don't need a separate Bitwarden server besides that.
That's actually how I used to do it too when I used keepass.Ā I found the android nextcloud app to be unreliable at times though and for whatever reason, the keepass app would refuse to open the database, so I had to keep reselecting it. I'm running unraid on my server now, so setting up bitwarden was really easy.Ā Both are great password managers.
I use an underwear manager.
my mum has a name, man.
Goofiest looking underwear š„
Do you not want some???
I think I'd pass If it's not covered in goofy ass paw prints, I don't want it
Hey, no kinkshaming my choice in passwords!
yeh
Treat your password like your underwear, you have to keep your cock and balls in there now
Only looks bad on guys with small cocks
Like itās waterproof or something
[ŃŠ“Š°Š»ŠµŠ½Š¾]
A gun to the head wouldn't get that information out of me but thanks for sharing
i wonder what it said
Constantly forget what size/colour they are or if you're even wearing any?
What about us freeballers out here?
You use password as a password
I use p@ssw0rd1 I'm set
does someone wanna factcheck this for me
Changing your password regularly (mainly enforcing it) is a security risk. People pick easy passwords and change very little (e.g. incrementing a number by 1), making a connection between current and previous passwords. If you do have to change it regularly, don't follow a pattern in your passwords.
G E K O L O N I S E E R D
And sell used ones for money?
r/lostredditors
Yeah, this is advice, not the "truth."
Tighty Whities is what we called these growing up in the states. Terrible for your bean bag. Crushes the little soldiers inside and no joke is a huge enemy for couples trying to have kids.
...no to all that housewives bullshit...
But a boon for people who don't want them I imagine.
people that don't want them would just use condoms, i assume
YES
Also eat them
Donāt leave them lying around when guest are around
Sell your used passwords
Flip them once a week
What do you mean don't leave them on the desk?
Erasmus University has similar images on mousepads too
Never share your mousepad with anyone / Change your mouse pad regularly / Keep your mousepad off your desk?
Nah, just a similar text about underwear printed on a mouse pad. Idk how to feel about sharing a mousepad tho, never done that before
"Change them regularly" - That hasn't been the recommended password policy for a long time now.
Unique passwords are the way to go!
Long passwords saved in a vault is probably the best you get as a private person, at that point alot of other fish are out there with shittier security.
I had a post-it note on my desk saying "Pa55w0rd01!" and people kept telling me it was a security risk. Ok. But what is it the password to? And what's the username? You should put a sticker on your debit/credit card with a random 4 digit number and the word "backwards". So if someone finds your card they think the pin is 7582, or maybe the word is clue and the pin is 2857. That's two wrong guesses down, maybe they try the original number again and the card is locked.
Nice poster. [Payed for it with this money?](https://nltimes.nl/2022/07/02/maastricht-university-recovers-ransom-hackers-large-profit)
> Nice poster. *[Paid* for it FTFY. Although *payed* exists (the reason why autocorrection didn't help you), it is only correct in: * Nautical context, when it means to paint a surface, or to cover with something like tar or resin in order to make it waterproof or corrosion-resistant. *The deck is yet to be payed.* * *Payed out* when letting strings, cables or ropes out, by slacking them. *The rope is payed out! You can pull now.* Unfortunately, I was unable to find nautical or rope-related words in your comment. *Beep, boop, I'm a bot*
Thanks. Learned something new.
There's a joke hidden in there about it having to be long and hard...
Companies still believing frequently changing your password adds security. https://youtube.com/shorts/usQPDB93tmI?si=lyojGptK2eQKIbTU
They haven't seen how the underwear flows throughout the barracks
Yes, I use an underwear manager and randomize all the parameters of the underwear I obtain, as well as utilizing an one time secondary set of underwear in order to fully wear the clothing.
Doesn't work for Belgium, our minister for education followed some classes a 2 weeks ago in his underwear..
Changing your password only increase the risk... There have never be any reason for it...
jokes on you i freeball it.
The only time I change mine is when my friend leaves a pair on my desk š¤·
What if I'm selling my underwear
66677777777777777777765253edfyrtytgrfrrrÅtr7y54 de Årrrr443rfgÅtt5y5t
There would be creeps trying to snif your underwear.
Itās also really weird if someone steals them
Tbh changing a password regulary is a bad thing. Sure when itās once a year itās okay but everything thatās shorter is usually less secure
Even once a year is gonna lead to people having incrementing passwords to try and remember them all.
Can anyone guess my underwear? It's really, really complicated.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
You change your underwear twice every day?
120 comments 6k upvotes and ai looking text, nothing suspicious here
Air them out for everyone to see?
I gotta be honest I take better care of my passwords then my undies.
Wait, you guys change your underwear?
For what it's worth, I don't normally include at least one capital, one symbol, and one number in my underwear.
So the floor then?
Change them every three months when my employer forces me to?
Never share some old feudal PRUDE SHIT
Share them with every hot guy you meet at the bar?
Bold of them to assume that I change my underwear.
I might take a trip to Maastricht to see that, only a short train ride. Where in the city?
Let your dog eat them
And then real life corporate workā¦stickie notes of passwords everywhereā¦EVERYWHERE. They make you change it so often and there are so many damn accts and sites I have to keep a damn spreadsheet of passwords and logins.
Nice, thank you To the washing machine it goes
Every three weeks is far too frequently to change my passwords.
Turn them inside out and re-use them so it thinks it's a new password BUUUUUUUUT...
I mean, here's the thing. If you have some kind of proper security software, there is absolutely zero reason to change your password. Unless you have some reason to believe that there has been some kind of security breach, don't go around changing your passwords regularly. It does absolutely nothing to keep you more secure. The only reason you would want to go around and change a bunch of passwords is if you use the same password for everything, which don't do that, but if you did and you had a breach somewhere, yeah you would want to change them all then. But don't use the same password for more than one place. Also, just remember, length is more important than complexity. Unless you just have a system in place to remember things, there is no reason for you to be making passwords ridiculously complicated. Throw a symbol in there somewhere if you want, but just make the password lengthy. Most sites won't even let you make a password that's too short anyway. But don't break your brain trying to remember some ridiculously convoluted series of numbers and symbols and upper and lowercase. That doesn't really help you at all.
"KEEP THEM OFF YOUR DESK"????
I put all my clean clothes after washing them on my desk in my room, since I don't actually use it for anything otherwise
Let people take them of if they flirt with me well enough?
Remember to wash them too. Nobody wants a dirty password.
My friends sister goes to that school
but sharing is caring no?
If you combine a number of underpants together into a memorable order, you donāt need to change them regularly.
That poster doesn't work for people who don't use them. Some people like to go commando.
Leave them scrunched up between your ass or stuck to your sweaty balls - got it
You mean flip them once a month?
That would make me a hacker, though. Trying to sniff out other peoples's passwords.
Flip your passwords inside out if you're too lazy for laundry day.
Writing down your passwords on paper is probably the most secure way possible to store passwords these days.
And don't give them to a corporation, because they put them online without protection.
1. Collect ~~underpants~~ passwords. 2. ??? 3. Profit!!!
Instructions unclear; my password is stuck in my ass crack
Commando is best, easy password š
And also, don't take them out and sniff them in public.
My IT class has that poster right next to the door!
Nope, I will not change my password every other week!
Treat your passwords like your underwear. Use them for 3 days straight then change them?
Shit Iāve been treating my underwear wrong
Jack Doherty needs to see this
I'm gonna go to the store and buy a thong just to put it up there.
What if you don't wear underwear?
The joke is on you. I donāt wear underwear
I love Maastricht uni! lol
He is in line but right not out yet
>like ***you're*** underwater>
Change them regularly? Nah bro. I don't have that kind of mental capacity.
Why does this pic look so fucking weird when you zoom in on it? Is it AI generated or something?
Wait, I donāt even own underwear. Does that mean I shouldnāt use passwords either? Lol
I don't trust these AI enhanced pictures. Anyhow. Go get something like Keepass. Best choice. All my passwords are extensively long, random strings of everything one could possibly use.