It’s not very useful, the best protection for me is to link your account to your phone number and request a verification code from your operator for any request so that no one can use your number
D00bage on
It’s 2026 and I love this.. Companies are all doing this 6 month password thing but adding in MfA, biometrics and other tools thinking they’re both ‘password less’ and safe, only users are often forgetting their passwords all the time making them high risk for doing things like writing them down or using easily guessable passwords.. Then on the other side of the wall the companies Microsoft Azure cloud tenants are often sitting largely misconfigured by the offshore cheap labor they’re using and usually left with the admin console openly exposed to the internet access making it a prime target for hackers.
crossplanetriple on
Corporate has us using 16+ letter passwords with upper case and special letters along with the Authenticator app trying to make my device impenetrable, meanwhile the pin on my laptop is 12345.
Thanks guys.
DaliaWildfern on
Feels like security theater instead of actual protection, just adding inconvenience without solving real problems
Geth_ on
They already changed the guidance on this. Your policies are out of date.
Shredded_Locomotive on
It’s not there to stop hackers, it’s there to stop human stupidity.
If you somehow leak your password, use it elsewhere, etc. then your stuff could get accessed by others if your password remains the same.
They don’t know when you fuck up, so they assume you do it at least once every 6 months
ValianFan on
I once was in a discussion with head of our locations IT. Apparently physical security token (yubikey) is less secure then a always-online phone that I am carrying everywhere and can have a malware on it.
Also yeah, 16+ chars password is a must… to be fair at that point just have one strong password and when you need to change it quickly rotate through several ones so it is not the same as “X last ones” and you are good.
derangedplague on
Yes. Convenience and security are inversed properties. Once they have your password they can access your network and install a rootkit to continue probing for weaknesses and escalate their privileges.
corobo on
If the company has a policy on changing passwords frequently you can hack them by turning someone’s keyboard upside down
Lord-of-Entity on
Unless you are using a password manager, no it does not work. The guy who has “BananaSquared23!” as his password will update it to “BananaSquared24!” and move on.
Amellis84 on
to be fair it does protect you from data leaks if you share passwords between services to an extent
Mr_Lumbergh on
A lot of things are necessary only because policymakers want to see the security theater to tell themselves it’s being done, it’s being handled.
No_Scheme4909 on
The IT company who maintain our system and servers: 12 digits password ok fine… But one time he had to update our programms on our local pcs so we have ti send him the passwort with an Email….. Eh no sir we can write a letter and hidden somewhere for this day. The answer was no that no secure…. Yeah but sending mails with passwort is safe ….
Not_AHuman_Person on
Isn’t having to change your password frequently less secure because people will start using simpler passwords that are easier to guess?
meganerd20 on
When have you ever *had* to change your password every six months? Not “encouraged to”, that doesn’t count, “had to”, as in you were given no choice.
Do you mean as an employee perhaps? Because I can assure you in all my time as a customer/user, I’ve never had my password require changing except when I forget it. And “have to” implies you had no choice, as I said. Being encouraged, reminded, guilt tripped, or any other way that’s not locking you out of your account does not count as “having to”.
You need a reasonably long password that is easy to remember, and hard to guess. So long as you never reuse that password and have 2FA/MFA, you should be good until you get phished for the password.
The key is not being easy to guess. And not reusing it elsewhere.
Jaredw180 on
We have to change our password monthly and cannot reuse the last 10 passwords. 10 password alone is more passwords than i have made it my life. I forget the new password constantly because it changes, then we have an inventory system with a different password and cannot be the same as the other password. Every month i have to come up with 2 new passwords. We also aren’t allowed to have our phones inside and we aren’t allowed to write passwords on paper either so i will continue on their ingenious system they have created and continue not remembering my newnewnewnewnewnewnewnewnewnew passwords.
LegitSince8Bits on
At my job we have to do it every 3 months and it can’t be similar to the past 6 passwords… how many fucking passwords do you expect me to remember for something literally NO ONE is trying to break into????
JustLetMe05 on
Every data breach I’ve been a part of has been due to the company’s data being breached rather than my password being compromised.
20 Comments
It’s not very useful, the best protection for me is to link your account to your phone number and request a verification code from your operator for any request so that no one can use your number
It’s 2026 and I love this.. Companies are all doing this 6 month password thing but adding in MfA, biometrics and other tools thinking they’re both ‘password less’ and safe, only users are often forgetting their passwords all the time making them high risk for doing things like writing them down or using easily guessable passwords.. Then on the other side of the wall the companies Microsoft Azure cloud tenants are often sitting largely misconfigured by the offshore cheap labor they’re using and usually left with the admin console openly exposed to the internet access making it a prime target for hackers.
Corporate has us using 16+ letter passwords with upper case and special letters along with the Authenticator app trying to make my device impenetrable, meanwhile the pin on my laptop is 12345.
Thanks guys.
Feels like security theater instead of actual protection, just adding inconvenience without solving real problems
They already changed the guidance on this. Your policies are out of date.
It’s not there to stop hackers, it’s there to stop human stupidity.
If you somehow leak your password, use it elsewhere, etc. then your stuff could get accessed by others if your password remains the same.
They don’t know when you fuck up, so they assume you do it at least once every 6 months
I once was in a discussion with head of our locations IT. Apparently physical security token (yubikey) is less secure then a always-online phone that I am carrying everywhere and can have a malware on it.
Also yeah, 16+ chars password is a must… to be fair at that point just have one strong password and when you need to change it quickly rotate through several ones so it is not the same as “X last ones” and you are good.
Yes. Convenience and security are inversed properties. Once they have your password they can access your network and install a rootkit to continue probing for weaknesses and escalate their privileges.
If the company has a policy on changing passwords frequently you can hack them by turning someone’s keyboard upside down
Unless you are using a password manager, no it does not work. The guy who has “BananaSquared23!” as his password will update it to “BananaSquared24!” and move on.
to be fair it does protect you from data leaks if you share passwords between services to an extent
A lot of things are necessary only because policymakers want to see the security theater to tell themselves it’s being done, it’s being handled.
The IT company who maintain our system and servers: 12 digits password ok fine… But one time he had to update our programms on our local pcs so we have ti send him the passwort with an Email….. Eh no sir we can write a letter and hidden somewhere for this day. The answer was no that no secure…. Yeah but sending mails with passwort is safe ….
Isn’t having to change your password frequently less secure because people will start using simpler passwords that are easier to guess?
When have you ever *had* to change your password every six months? Not “encouraged to”, that doesn’t count, “had to”, as in you were given no choice.
Do you mean as an employee perhaps? Because I can assure you in all my time as a customer/user, I’ve never had my password require changing except when I forget it. And “have to” implies you had no choice, as I said. Being encouraged, reminded, guilt tripped, or any other way that’s not locking you out of your account does not count as “having to”.
No, it is not. Companies are behind the times, as usual.
[https://cybersecuritynews.com/nist-rules-password-security/](https://cybersecuritynews.com/nist-rules-password-security/)
Not really needed.
You need a reasonably long password that is easy to remember, and hard to guess. So long as you never reuse that password and have 2FA/MFA, you should be good until you get phished for the password.
The key is not being easy to guess. And not reusing it elsewhere.
We have to change our password monthly and cannot reuse the last 10 passwords. 10 password alone is more passwords than i have made it my life. I forget the new password constantly because it changes, then we have an inventory system with a different password and cannot be the same as the other password. Every month i have to come up with 2 new passwords. We also aren’t allowed to have our phones inside and we aren’t allowed to write passwords on paper either so i will continue on their ingenious system they have created and continue not remembering my newnewnewnewnewnewnewnewnewnew passwords.
At my job we have to do it every 3 months and it can’t be similar to the past 6 passwords… how many fucking passwords do you expect me to remember for something literally NO ONE is trying to break into????
Every data breach I’ve been a part of has been due to the company’s data being breached rather than my password being compromised.