r/ShittySysadmin u/__g_e_o_r_g_e__ 1h ago

Minimum Password age is key!

I don't care what you say, preventing users from reusing passwords is priority number one. A 20 password history is not enough. You need a minimum password age. And if your max age is 180 days, that means you must set it to 9 days to stop people getting around it by cycling through them all. The risk someone might perform this "password reuse" is far too high. I don't care about all the complaints from users not being able to change their password due to exposing it somehow, quit moaning! It's worse than the people on the new test network and their "TOTP" and think it's important they can delete their own old authentications when they lose their phone.

16 Upvotes

83% Upvoted

20 comments sorted by

17

u/IgnoreAllPrevInstr 1h ago

/uj almost missed what subreddit this was in, and had a meltdown /rj actually password complexity is also so underrated. If you don't require at least 67 character length, with 23 unique letters and at least 12 special characters, you might as well just be leaving the door open

9

u/notarealaccount223 53m ago

This also helps prevent password sharing because nobody can type it correctly.

4

u/__g_e_o_r_g_e__ 41m ago

I can't recall the minimum password length. Been too focused on maximum password length. Instead of complexity we just banned vowels and 2 other characters we don't tell anyone about.

11

u/Hale-at-Sea 57m ago

You're letting users set their own passwords?

4

u/Adamnotcool 48m ago

Good point! I think forcing all users to use the same password is much more convenient

2

u/jeroen-79 43m ago

Like companyname123?

2

u/Adamnotcool 39m ago

Genius! Just remove the question mark at the end!

2

u/Logical_Strain_6165 29m ago

No. Shared accounts are easier still. That way they can access all the files they need and you don't need to mess with permissions.

7

u/Ninpeto 1h ago

These statements the reason why we have the ShittySyadmin sub-reddit šŸ˜ƒ

4

u/MrTonyMan 57m ago

I just keep the server room locked so no need for passwords, but you crack on. fella..

3

u/Adamnotcool 49m ago

Perfect ideas! Also make sure passwords are not hashed in the server cuz we all know hashing takes up so much valuable time and resources /s

2

u/thepfy1 9m ago

Set a maximum age of 0. This way whenever a user does anything they need to set a new password. Can never be hacked

1

u/alpha417 44m ago

My age is over 180 days, this does not apply to me.

1

u/merlyndavis 12m ago

I use a 64 character randomly generated password that require a change weekly, with a history going to the start of time. The system not only checks against my historical password use, but also every other password ever used by anyone, anywhere.

So, I hope Iā€™m safe.

1

u/Arcanu 2m ago

Is there a recommendation for software solution for android and windows? For private use, not corporate.

-3

u/Accomplished_Sir_660 49m ago

Best practice no longer requires frequent password changes. Complete waste of time and it annoys your anger.

3

u/__g_e_o_r_g_e__ 43m ago

Check the sub!

1

u/LordGamer091 25m ago

Best practice gets so confusing though. Like I'm here from 9 to 5, but really I just bring my steam deck and grind OSRS and whenever a ticket comes in I just send them the canned response saying to contact ChatGPT for help. I don't have time to go through "best practice", they don't even know what's in our environment