|
|
|
|
|
|
by UnquietTinkerer
1884 days ago
|
|
|
Off topic for password rotation, but has anyone tried assigning randomly generated passwords to the users rather than letting them choose their own? People (including me) _hate_ memorizing things and would probably write an assigned password down, but isn't it better to expose passwords to nosy coworkers than to the whole internet, as is so often the case with weak or reused passwords? |
|
|
We do that. We generate long random-character passwords (both for e-mail, web sites, and other accounts), and we don’t provide any online way for users to change them. If the users need to change a password, they have to contact us to do it (which is reasonable, since a big part of our value proposition is our responsive support). We only very occasionally even get such requests, and even more seldom get requests from users to set their own passwords. So far, everybody has been perfectly satisfied when hearing “No, users don’t set their own passwords. We can generate a new one for you any time you like.”.
This policy has been in effect since before my time, and I have worked here for more than 10 years. During this time, there was one user who really wanted something more memorizable for a specific account, so I set a correcthorsebatterystaple-style password on that account only. One other user had trouble adding the password to their password manager, and I had to help them do that. Otherwise, no problems.