[9x39]

Well, a TPM would eliminate this user-hostile auth dance, although that security model is different than a password.

Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.

There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.

[hamburglar]

I think it’s valid to question the wisdom of a CISO using misguided password guidelines. I don’t think it’s valid to respond to guidelines you disagree with by willfully sabatoging security. You relinquish your righteous position on password security when you put your password on a post-it in your laptop.

[pc86]

You call it "willfully [sabotaging] security," I call it "the best alternative that doesn't leave me with a 30% chance of forgetting my password every 60 days."

1Password is smart enough to let me have a secure, non-leaked password of high complexity that I have memorized, then let me go years without resetting it. I started there and the policies have made my laptop progressively less secure over time.

[hamburglar]

It just so happens that the best alternative you could think of is literally the worst alternative anybody could think of. If I didn’t know better I would call it wilfully bad and chosen more to prove a point than for any other reason.

[viridian]

Reads like you are trying to argue for abstinence only education here. The reality security must operate in is that the best security policies are those that people don't circumvent.

If people have to resort to sticky notes, sharing credentials, scripts that automatically update a file containing a plaintext credential, or what have you, odds are that security has massively fumbled the ball.

Keep in mind this is already intuitive enough for everyone, even the security minded, within some set of social and or professional norms. No one uses one time pads for common password based authentications, nor do they rotate passwords daily, nor do they require 64+ characters. We don't do this because its obvious to everyone that business would be too great, and people simply would not comply. Many security teams seem interested in pushing that boundary as far as they can without regard to what the probability density function of compliance actually looks like.

I say this as my password for Nationwide Children's Hospital has officially become the first password to cross that line for me, and now lives in a paper notebook. Forced reset, 2FA mandated, requiring 15 characters, upper, lower, number, and special char (but only a subset of special chars).

Maybe its overkill that the place I go to fill out questionnaires about baby poop, has minimum password requirements such that the entire world's computer would take over 10,000 years to crack.

[hamburglar]

If it’s too much to take then it’s too much to take and nobody can argue with that. When that happens, you resort to something more reasonable. Putting your password in a notebook, for example. Putting it on a post-it note on your laptop is not that reasonable alternative.