[pc86]

This is fine for services you can easily access on a phone or computer.

My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.

I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.

My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.

[deathanatos]

I once joked (I think because my employer had a similar, crazy requirement) that my keyboard's firmware was programmable, and I could just reprogram that FW so that Level3Shift+some key would rattle off the month's password.

Obviously, this is a terrible idea.

[michaelt]

Believe it or not, "Yubikey" security keys have about 8 different configurable modes. One of them is "emulate a USB keyboard and enter a static password".

So not only could you implement your idea - you could also tell people you "log in with a yubikey" and they'll think you're at the forefront of security.

[hamburglar]

The only solution to this problem is to put your password on a post-it note in the most obvious place possible? Are we sure the CISO is the idiot in this story? This sounds like malicious negligence. I sure hope nothing that actually matters is on your system.

[9x39]

Well, a TPM would eliminate this user-hostile auth dance, although that security model is different than a password.

Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.

There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.

[hamburglar]

I think it’s valid to question the wisdom of a CISO using misguided password guidelines. I don’t think it’s valid to respond to guidelines you disagree with by willfully sabatoging security. You relinquish your righteous position on password security when you put your password on a post-it in your laptop.

[pc86]

You call it "willfully [sabotaging] security," I call it "the best alternative that doesn't leave me with a 30% chance of forgetting my password every 60 days."

1Password is smart enough to let me have a secure, non-leaked password of high complexity that I have memorized, then let me go years without resetting it. I started there and the policies have made my laptop progressively less secure over time.

[hamburglar]

It just so happens that the best alternative you could think of is literally the worst alternative anybody could think of. If I didn’t know better I would call it wilfully bad and chosen more to prove a point than for any other reason.

[viridian]

Reads like you are trying to argue for abstinence only education here. The reality security must operate in is that the best security policies are those that people don't circumvent.

If people have to resort to sticky notes, sharing credentials, scripts that automatically update a file containing a plaintext credential, or what have you, odds are that security has massively fumbled the ball.

Keep in mind this is already intuitive enough for everyone, even the security minded, within some set of social and or professional norms. No one uses one time pads for common password based authentications, nor do they rotate passwords daily, nor do they require 64+ characters. We don't do this because its obvious to everyone that business would be too great, and people simply would not comply. Many security teams seem interested in pushing that boundary as far as they can without regard to what the probability density function of compliance actually looks like.

I say this as my password for Nationwide Children's Hospital has officially become the first password to cross that line for me, and now lives in a paper notebook. Forced reset, 2FA mandated, requiring 15 characters, upper, lower, number, and special char (but only a subset of special chars).

Maybe its overkill that the place I go to fill out questionnaires about baby poop, has minimum password requirements such that the entire world's computer would take over 10,000 years to crack.

[hamburglar]

If it’s too much to take then it’s too much to take and nobody can argue with that. When that happens, you resort to something more reasonable. Putting your password in a notebook, for example. Putting it on a post-it note on your laptop is not that reasonable alternative.

[econ]

Their job is onthere! Losing the job is much worse than losing the data. You need to secure that too!

[joquarky]

> because the CISO is an idiot.

How do these people get these jobs?

I have 25 years of enterprise-level web application development experience. I passed the CISSP on my first try with minimal study. I read RFCs for fun.

And yet I can't even get a screening interview with an actual human (although my one AI interview asked surprisingly competent follow-up questions).

[rrr_oh_man]

> How do these people get these jobs?

Relationships.