Hacker News new | ask | show | jobs
by jamesvnz 1888 days ago
This is why many systems - I've seen it with Microsoft and Salesforce - set a "minimum password age". Which is usually a minimum of 1 day.

This way, you can't change your password more than once a day. This makes quickly cycling through to get back to your original password hard.
4 comments
andersonvom 1887 days ago
This is amazing: "guaranteed at least 24h of exploiting a recently compromised account or your money back"
link
liversage 1887 days ago
Yeah, I've tried that. First day in my new job. “Here's your PC. Your user name is [some initials] and your password is abcd1234". I sign in and immediately proceed to change my password to something that doesn't suck. I keep getting an error message about my new password not meeting the complexity requirements. Super confusing... I give up.

Next day: I can now change my password.

Turns out that I couldn't change my password the first day because it had already been changed to abcd1234 that day. I was not impressed.

link
awruko 1887 days ago
It is internal joke, you 'forgot' your password, so you get something like 'Spring2021' from IT as password reset. Now you pick a target account, trigger account lockout. Most of the time, the target is confused and gets a combo, account unlock and password reset. Now the IT guy who does password reset ... uses seasonal passwords which of course can't be changed for 24 hours.
link
ornornor 1887 days ago
Oh this is clever, I’ll use that next password rotation so that my password doesn’t change in effect. We must change every 60 days where iWork, and it doesn’t work well so some systems still use the previous password, some still use 3 passwords ago, etc. It’s random though, you never know in which systems the password change will take and in which it won’t)
link
tracker1 1887 days ago
Worse is when you're developing software against those other systems, and within a few minutes of logging in, your account is now locked out.
link
NathanielK 1887 days ago
I went to a college with that problem. After your mandatory password change, any device autoconnecting to wifi would trigger a lockout. Since the same password was also use to log into network computers, there was no way to visit the webapp to unlock your account.

Unless you had data on your smartphone or had a friend who was logged in, you were SoL.

link