7/3/2026 at 2:28:43 PM
”Finally, the company should have enforced a strong password policy that would have prevented our heroes from finding dozens of accounts with “winter2023!” as the password.”Capitalize that “w”, and you’ve got a password that will pass most PWD policies. Why do they think it was “winter2023!” to begin with? In 90 days when the PWD expires, well, it will be spring of the next year, so…
The better idea is to require passwords with some real entropy, and get rid of expiring passwords. It’s not 1999 anymore.
by mikestew
7/3/2026 at 5:25:23 PM
Replying to my own post: wait a minute, why are there so many accounts with the same password in the first place? Oh, because "dozens" of people are tired of changing their password every 90 days, and someone piped up on an email thread (with the subject line: "Changing passwords all the time is bullshit!", I'm sure) and said, "I just set it to $SEASON$YEAR'!'. Easy to remember, fits the policy."And now you have a system that is far less secure than if you just ditched the expiration policy to begin with.
by mikestew
7/3/2026 at 4:30:42 PM
Expiring passwords are one of my biggest gripes, and I still see them everywhereby alt227
7/3/2026 at 4:40:18 PM
Expiring passwords and length limits. Why can't my password be a 5KB long? My password manager has no limits. Are people storing them in plain text in 2026?by grg0
7/3/2026 at 4:58:14 PM
And content limits. Why can't my password contain the % character? No special characters? What makes a character "special"? Why can't it contain emoji? So many password systems go to great lengths to remove potential entropy and randomness from passwords with their rules. The usual excuse is "blah blah blah legacy systems" which is not a good reason.by ryandrake
7/3/2026 at 5:18:04 PM
Personally, I wouldn't use anything beyond ASCII in a password. I don't want encoding bugs to lock me out of my encrypted partition or bank account, thank you very much.by fph
7/4/2026 at 9:00:09 AM
I agree, content limits are a royal PITA. Do you know how long I had to search to find a password manager that would accept my password with its doodles, sign language, and squirrel noises?by pseudohadamard
7/3/2026 at 6:32:01 PM
Probably because there is some mildly decent reason (or very good, I don't know) to avoid them and it really doesn't matter enough to worry about getting around it.Why would you want emojis in your password? It's a piece of text not meant to be seen, emojis are meant to be seen. Just randomly generate some characters and get on with your life. I don't understand why you care about this at all, it's such a pointless thing to complain about.
by sfn42
7/4/2026 at 1:55:38 AM
> Why can't my password be a 5KB longBecause that opens you up to an entirely new class of attack. You have to set the limit somewhere and if you set it at INT_MAX, then a malicious user could find a O(n^2) path in your password validator and input a 4GB password that locks up the machine. Or they could create 1000 users in a row with 4GB passwords and fill up your storage.
by shalmanese
7/3/2026 at 5:01:51 PM
I ran into a website for work that would let you create a long password, but silently truncate it to 12 characters before saving. Mind boggling.by sgc
7/3/2026 at 5:07:03 PM
This is the best. Especially when the password is being autotyped by the pw manager and so you never see the truncation and now have a bad pw saved in your manager. Alongside a restrictive password policy with no ui explaining what the policy is.by halJordan
7/3/2026 at 5:15:45 PM
This happens on some HP printers too, the web interface lets you happily enter lengthy passwords, but doesn't bother telling you it truncated the entry at 16 or 12 characters.by j4k3
7/3/2026 at 7:45:25 PM
I unfortunately had the infuriating experience dealing with a (government, of course) site that did this. To add to the experience, not only did it silently truncate at registration, but it did NOT truncate on the login fields. And of course, it has a lockout after several failed attempts. UX gore at it's finest.by pull_my_finger
7/3/2026 at 6:13:30 PM
Blizzard/battle.net used to do this (still does?), lolby grg0
7/4/2026 at 1:54:46 AM
Good security policies should have an upper bound on password length, but also those upper bounds should maybe be like 100 characters or so. There's a couple reasons for this. First being is that hashing does take some compute resources, second being that there is some security/usability tradeoffs here, etc, and third being that after like 30 characters or so, the effective (key phrase here) security gains become marginal.by jkrejcha
7/3/2026 at 6:52:15 PM
> Why can't my password be a 5KB long?You should switch to Windows, Microsoft got you covered[1].
[1]: https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Arch...
by magicalhippo
7/3/2026 at 9:35:11 PM
Unbounded length anything is a denial of service vector, even if they do hash. I can assure you that even if your password manager doesn't impose limits, you can most certainly hit some if you try hard enough. It is also completely pointless. Two dozen or so ASCII letters and numerals will let you encode all the entropy you could possibly want.Expiration is self-evident. Long lived tokens you can just whip around will whip around. The number one group of people who are hurt by expiration are those not using a password manager anyways. Autogenerated and autofilled passwords can expire all they want, it's a non-issue.
Special characters are dumb and unnecessary. They also pose a fun challenge when you happen to run into a situation where you can't input them anymore all of a sudden.
People cannot participate in cryptographic schemes, only machines can. These gimmicks do not help fix that. It's "theatre", as they say.
by perching_aix
7/3/2026 at 6:28:51 PM
> Why can't my password be a 5KB long?Probably because that's just unnecessary. A few dozen characters is plenty, anything beyond that is just excessive.
by sfn42
7/3/2026 at 4:56:08 PM
I wouldn’t trust enterprise internet security boxes to not trip on such long text fields.by mschuster91
7/3/2026 at 4:40:50 PM
My company does it to our phone passcodes. 90 days.by wpm
7/3/2026 at 9:34:45 PM
Well, I’ve only got 10 fingers, so looks like my time there would be limited to 900 days.by kaikai
7/3/2026 at 6:08:35 PM
Due to corporate IT working its fingers into everything vaguely computer related, I now have to annually change the passwords that operators use to log onto the HMIs on my OT network (which has no connection to the greater Internet.)That means I now get calls after hours for a couple weeks (allowing for all shifts to cycle through) from operators who are locked out of their ops stations. I can't send the password via email, obviously, and word-of-mouth is inconsistent at best. So I'm left with the sticky note under the keyboard or stuck to the monitor, which the operators won't read anyway.
by black6
7/3/2026 at 7:06:09 PM
One good thing about expiring passwords is that it forces you to use something that you probably don't use for everything else in your personal life.by wildzzz
7/3/2026 at 3:08:20 PM
I swear if the ghouls running things had abit more decency and allowed people to actually access and controll their passkeys then that would be the future, everyone would adopt it. The experience is so nice with key pair exchange for ssh. Its just that there i have thr security of knowing exactly where my secret is and how i can manage it, its just a file and i can move it like a fileNobody wants the risk of getting locked out because of apple and googles walled garden bullshit
by samrus
7/3/2026 at 2:33:09 PM
1. Open a web browser and do a search2. Read until you find a sentence that you like.
3. Use it as your password
by Xeoncross
7/3/2026 at 2:50:10 PM
I like the last line of your commentMy password is now password
by ChrisRR
7/4/2026 at 2:06:09 PM
Now you might want to open a pr like this one: https://github.com/danielmiessler/SecLists/pull/155by alessandroberna
7/3/2026 at 3:48:38 PM
Should have been "use it as your password"by daredoes
7/4/2026 at 1:58:29 AM
"That's the best password ever!"by jkrejcha
7/3/2026 at 5:24:21 PM
That's cool. Yours comes up as stars (*). Must be a HN thing.by nickweb
7/3/2026 at 10:24:06 PM
hunter2doesnt look like stars to me
by ndsipa_pomu
7/3/2026 at 3:08:09 PM
Hackedby hnthrow10282910
7/3/2026 at 3:08:18 PM
How about mixing up band names? Take the end of "Florence and the machine" and mix it with the start of "Rage against the machine" and you now have the totally unguessable "Rage sharing the machine". It's a different machine see?! Nobody would know that!by raffraffraff
7/3/2026 at 4:16:47 PM
The The but the first The is from The Whoby NopIdoN
7/3/2026 at 9:48:27 PM
That's crazy! Imagine what The The and The Who would sound like? Not The The and The Who, but the The The and the The Who your comment alludes to. Or would the original ones be called The The The and The The Who?by daledavies
7/3/2026 at 2:56:50 PM
Not enough numbers or special characters usually.by glitchc
7/3/2026 at 3:43:20 PM
Use one specific special character/number as word separator.by lukan
7/3/2026 at 3:23:25 PM
I loathe two things in password requirements: special characters and not allowing spaces. C'mon, it's 2026. Require 20 characters and call it a day.by chopin
7/3/2026 at 4:00:21 PM
"password is to long, max length..."(╯°□°)╯︵ ┻━┻
by Xeoncross
7/3/2026 at 4:37:41 PM
I couldn't decide which sentence of Alice in Wonderland was my favorite, so I just used the full text.by Volundr
7/3/2026 at 10:10:47 PM
Alibaba Cloud in 2026 lolby antonkochubey
7/3/2026 at 3:55:24 PM
Letting users pick their own passwords has always been a mistake. If passwords are needed, the system should choose them.by James_K
7/3/2026 at 4:04:41 PM
just directly give them a post-it for their monitorby NopIdoN
7/3/2026 at 4:11:59 PM
As a person with memory issues, this is a recipe for me writing a password down where somebody else can probably find it.by kg
7/3/2026 at 5:00:33 PM
If your machine or service is connected to the Internet, 631U)VN0Onl? written on a post-it note is generally going to be better than hunter2 not written down.by ryandrake
7/3/2026 at 4:58:59 PM
but post-its are vulnerable to the wrench attack!by fouc