23
Just realized everyone says to change passwords every 90 days, but that rule got me hacked.
At my old job in Denver, our IT policy forced a password reset every 90 days. I got so tired of making new complex ones I started using simple variations, like adding a '1' then a '2'. A bot guessed my pattern and got into our project management tool last spring. Now I use a password manager with one really strong master phrase and never rotate unless there's a breach alert. Does anyone else think forced rotations actually make security worse?
3 comments
Log in to join the discussion
Log In3 Comments
taylor.susan29d ago
Forced rotations stop reused passwords from spreading.
6
blake_lewis7d ago
Had a friend who did the same thing with password rotations at his office. He just changed a number each time like you said, and a brute force attack got his email. Kinda proves @taylor.susan's point about stopping reuse, but it also just makes predictable patterns. The policy backfired hard.
6