I am not a lawyer, but doing some googling on the "auto renewing" BS (called "evergreen clauses" apparently). The fact they have to reassure you the ass penetration they're giving is "industry standard" always makes me suspicious (feels very much like anArgumentum ad populumargument, which are used when they know they're full of BS) .ASG security rustles my jimmies...
And it pisses me off when corporate system policies implement this shit for EVERY dumb piece of software.be 15 to 30 characters in length
contain at least two uppercase letters (A-Z)
contain at least two lowercase letters (a-z)
contain at least two numbers (0-9)
contain at least two of the following special characters: # @ $ % ^ ! * + = _
change at least four characters from your previous password
Who the fuck thought that up? Seriously 15 fucking character minimum?
Next time buy sulfur at the drug store and sprinkle some in your shoes, socks, crotch area and you won't get any.The 200+ chigger bites covering my body.
Recently in one of my "Advanced Networking and Systems Management" classes we had literally 3 weeks of discussion questions all based around password policy and bullshit % charts etc etc of how this crap increases security exponentially - a minimum of 5 characters is inherently secure while a minimum of 10 characters is 10000% more secure than - bla bla the fuck bla blady-bla bla.be 15 to 30 characters in length
contain at least two uppercase letters (A-Z)
contain at least two lowercase letters (a-z)
contain at least two numbers (0-9)
contain at least two of the following special characters: # @ $ % ^ ! * + = _
change at least four characters from your previous password
Who the fuck thought that up? Seriously 15 fucking character minimum?
I don't even get why any kind of complex password is needed, even theoretically. Granted I'm not that computer savvy, but it locks you out after X attempts, right? How could you possibly brute force it? If you have access to the server that actually checks the password, I don't think you really need access to an end user account anymore.Recently in one of my "Advanced Networking and Systems Management" classes we had literally 3 weeks of discussion questions all based around password policy and bullshit % charts etc etc of how this crap increases security exponentially - a minimum of 5 characters is inherently secure while a minimum of 10 characters is 10000% more secure than - bla bla the fuck bla blady-bla bla.
I must have been the only student that was not fresh from highschool or their first round of college and every week was like "in theory the stricter the password policy the better the theoretical security etc... BUT when you input the factor of THE END USER all this shit goes out the fucking window!" If you make the passwords expire too frequently you get the ABC or 123 of a character change so rrj@#5! turns to rrj@#6! etc etc - if you make it to complicated that you cannot possibly make your password anything coherent (no words etc) you are more likely to not have anyone commit their passwords to memory (and by the time they do THEY FUCKING EXPIRE) so you get post-it-note syndrome... 50% of the time I go sit at a desk to fix someone's ham handed "I broke my computer" issue I can find their password somewhere around their desk.
So you all are going to get a nice wave of "newly trained" network admins that know from the book that TO INCREASE SECURITY WE MUST IMPLEMENT STUPID PASSWORD POLICYS . argh!
The only thing worse than this is when that guy gets paid more than you.Motherfucker who shows up 1hour late in the morning, take 90min lunch brakes and leave 30min early. Rustled jimmies already, but he also has to nerve to come to me and try to dump work on my desk because somehow he doesnt have enough time in his day to do it all.
There are almost always systems that are not linked to a lock out policy etc but again no normal end user is going to be in those systems etc... I literally had to defend my stances in a separate email to my instructor for not giving the standard answer to these discussion questions as "my practices would not provide security" as I focused on keeping the end user informed that threats and phising still happen- keep your password secure etc- I would rather have them make end users commit a decently complex yet comprehendible password to memory and have it last longer than changing it every week- end users tend to see all the password rules and network security layers as "doing all the work" so they become slack and not as attentive to common security etc.I don't even get why any kind of complex password is needed, even theoretically. Granted I'm not that computer savvy, but it locks you out after X attempts, right? How could you possibly brute force it? If you have access to the server that actually checks the password, I don't think you really need access to an end user account anymore.