The Second Day after Password Change is the worst

Except for the third day, and the fourth day. Really, to be honest, probably a good fortnight.

Work has 60 day expiration on passwords (Yes, I know all the relevant information on current best password practices) and I opt to change all my user accounts at once to similar-but-not-same password for my User account and my 6 Admin accounts (I just love multi-domain infrastructure)

The first day is fine. Show up bright and shiny on a Monday morning. Start logging in on my main pc, change the pwd, we have a web portal that pops up prompting you to sync it with all the apps that we have single sign-on, but can’t utilize the AD or ADFS authentication. Reboot just to be safe

Then log on to my jump boxes and change each of those domain passwords and go about my day using the new passwords.

The second day though. The second day, Lizard brain keeps insisting on muscle memory to type in the old password. Stupid brain.

Ooof.

I left a job a couple years back that, at one point, had over a dozen passwords once everything was accounted for.

I’m still with the same group, but they’ve consolidated credentials a bit, and some of my accounts are no longer necessary, but yeah, password change week is still one of my least favourite times.

Once, all was good easier (and less secure)

User accounts had a lot of admin ability on them so you could get by without using the Admin account for a lot of day to day. The little Web Portal that popped up, synced all your accounts across the domains to the same password. Fortunately, there was never an incident that prompted the change, but people saying, “yeah, we always did it that way, but that way is bad”

And we’ve gained a few domains over the years as consolidations have happened. I’m kicking the tires on some password managers just to keep a few lesser used accounts under control.

I use KeePass (sp?) which creates and stores secure long complex passwords, and lets you copy and paste. No memory needed (except for the master pw, and general logon to computer).

Except in annoying cases where the website won’t let you paste; then copying and typing each symbol is a big PITA.

I used one of the Keepass forks for a while, but currently on BitWarden as I liked the cut of it’s jib.

Its free but I paid for the premium version to get Two Factor Auth. Of all the ones I’ve used, I like it the best.

I believe that my workplace would be much more secure if they allowed the use of password managers.

The people who set security policies do not seem to concur.

I have issues with a lot of them. I want to be able to control where my data is stored

I use pwsafe; it was originally developed by Bruce Schneier, I have a Windows version and an Android version, and the (encrypted) file can basically travel with you.

I am back to that world. One thing I miss from working at the bomb factory was enforced chip+pin for login. Stick my badge in the card read and enter the PIN.
Anyone who got long term exemptions had to get managers manager sign off every 6 months.

I have a ton of passwords at work (also for home/personal stuff, I use Keepass for home and Lastpass at work) but the home ones don’t bother me. The reason the work ones bother me is because I get logged out of most things every day and when I’m in a rush to get something done it ends up going like this:

• Login to computer so I can get to Lastpass, so I can
• Login to Lastpass, so I can
• Login to the VPN, so I can
• Login to the system that builds the code and start a build, then I can
• Login to the system that deploys the build and deploy it, so I can
• Login to the system that lets me
• Login to the system running the deployed code, from which I can
• Login to the database on that container so that I can finally run that quick query that I needed to check – if I can even remember it now after 8 distracting login procedures. If I got doubly-distracted by 2FA prompts and having to go login to my phone to go to the authenticator app to get a code to relogin to something then it’s a sure bet I’ve forgotten what it was that I was intending to do in the first place. Hmm. Maybe I left a note in the ticketing system,
• Login to the ticketing system to search for any indications of what I was trying to do

Single sign-on is supposed to be in the works for someday. I don’t generally like it since it’s a single point of failure and can cause things to get cross-contaminated in some circumstances (watching music videos, searching the web, and checking email are not a single connected workflow and shouldn’t influence each other Google), but for connected workflows across disparate systems it’d sure be nice to have.

All my passwords would look like logmeinoct18, logmeinnov18, logmeindec18, …

SEE ALSO: learning to type   su -   instead of just   su

Third day. Automatic entry of password n-1 has generally stopped.

Password entry is now observed as being [ pause ] followed by entry of password n-(RNG).

The subject typically realizes the mistake after 4 to 7 characters have been entered, backs out and enters password n

Day 3 is amusing, but I’m particularly fond of Day 8, when your lizard brain wants to autocomplete the password without correctly remembering where symbols and capitalisation are supposed to go.

Ah, yes, the old “Lizard Brain, Why do you suddenly think capitalization does not matter?”

I believe this is linked to the phenomenon of captializing numbers…

Small Eff, capital Zero, capital Zero, small Bee, small Aye, small Arrr.

“Your new password may not contain more than a three character sequence in common with your old password. Please enter a new password.”

Okay, then, I’ll alternate between two patterns.

“Your password is too similar to one you’ve used within the last 24 password changes.”

I’ve sometimes thought that having a 128 character password complete with smalls and caps, digits, and special characters would be great to have as a phone number. Seems to me it would cut down on the kind of spam calls dialed at random.

If (or when) it leaks into spammers’ databases, then change it To a new one, and automatically send the new one securely only to your friends and other contacts.

I don’t think they do it that way anymore.

We’ve had spam calls at work where it’s very obvious some machine is just working through all possible numbers for a given known exchange.

128 characters with more possible symbols would take longer, but could be done the same way.

Let’s assume a character set of 64 (26 uppercase, 26 lowercase, 10 digits, 2 symbols).

64^128 = ~ 1,552,518,092,300,708,935,148,979,488,462,500,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000.

I’d like to see them try.

Looks like the perfect job for a virus-infected zombie PC bot army .