alt Hacker NewsGiven the time it's been since deprecated, I'm assuming most older versions of Windows since 2000 and Samba have long since supported more secure options... though from some comments even the more secure options are relatively weak by today's standards as well.
Aside: still hate working in orgs where you have a password reset multiple times a year... I tend to use some relatively long passphrases, if not the strongest possible... (ex: "ThisHasMyNewPassphrase%#23") I just need to be able to remember it through the first weekend each time I change without forgetting the phrase I used.
Replies
Fine until you run into the filter that prevents the new password from having any of the same substrings longer than some limit compared to the old one.
IMHO there are two requirements for a good password:
1. It must be hard for a computer to guess.
2. It must be easy for a human to remember. If you can not set a secure password and then remember it a week later it is a bad password.
This is why I really hate overly strict password requirements that make it hard to remember. These cause people to write it down or do things that appease the password checker but don't make it harder to guess.
Depending on your organization, it can sometimes help to point the right compliance person to the latest NIST guidelines, specifically:
https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver
> Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.
One of the nice cases where it can be helpful that standards themselves, which you can point to, have said to stop doing that.