Security Trivia

Did you know that Microsoft employees have not been forced to change their passwords in nearly two years? This follow the NIST recommendation as well as that of the man who regretted inventing the idea.

Listen to him here: (Start around 27:00 minutes to hear just this part but the whole thing is interesting.)

The Azure Security Podcast - Zero Trust at Microsoft


YES!!! I’ve always found this practice absurd, if your password has sufficient entropy time doesn’t degrade it in any realistic way and changing it constantly leads to forgot passwords and post it notes!


I love looking at entropy people concern themselves with complicated single phrase passwords where a perfectly reasonable password may be more secure and easier to remember. Here’s a bit of lovely math for the brain.

Password: P4s5w@rd
Can be cracked with a super fast computer in an offline attack scenario (brute force) in about 18 hours.
Source: GRC's | Password Haystacks: How Well Hidden is Your Needle?  

However the password: “I love buying 12 doughnuts at a time from KK”
Will take 3.36 hundred trillion trillion trillion trillion trillion trillion centuries to brute force.

1 Like

Tried to get our infrastructure team to change this practice, but they said they cannot do anything about it. They’re audited by some company which requires the “complex” passwords, stupid requirements, and changing every 90 days. Ugh.

Complexity is the enemy of security


Agreed 100%.
I’ve grown weary of their requirements, and have fallen into the Password_1, Password_2, Password_3 format.
Way to go security team. You’ve forced me into a less secure password with all of your requirements.

1 Like

My previous IT Director went off on the auditors pushing it. I could hear him yelling in the office, “What kind of company doesn’t know the NIST recommendations on passwords?! What other ways are you making our company less safe! We’re paying you to keep us safe!”

A couple of days later, they changed the audit.


BTW, the complexity requirement should say, “include three or four of the following”

  • upper case
  • lower case
  • number
  • special characters

Why? It greatly expands the number of passwords available.

And I don’t care what she says, size matters. We’re talking about password length here. Get your minds out of the gutter…


Thanks @josecgomez now I have to change my password to. “Complexity is the enemy of security_2”. :laughing:

1 Like

Ed Snowden’s comments about password strength versus computing power is something I always pay attention to when he mentions them.

"For somebody who has a very common 8-character password, it can literally take less than a second for a computer to go through possibilities and pull that password out.” -


So unfortunately unless PCI DSS wakes up then you’re stuck with having to answer Yes to this question otherwise you fail.

8.2.4.a Are user passwords/passphrases changed at least once every
90 days?

I don’t disagree with the above comments on how a phrase is the almighty password… but there are shitty standards in place other than just NIST that force us to do things we don’t want to. Not everyone is on the same page, sadly.

1 Like

NIST does not recommends this anymore.

I just publicly asked PCI on Twitter why are they years behind other security communities. I’ll keep you posted…

I’m aware of that, that’s why I was saying there are still other shitty standards that people have to follow other than just NIST.
I’m using my PCI compliance as an example. We are required to be NIST 800-171 here as well as we need to carry PCI DSS compliance, so we need to apply the most strict rules to our network. As I noted PCI is the one that determines the 90 expiration policy on passwords for us, and I’m sure others.

I would assume that Microsoft is PCI compliant and yet they don’t reset passwords. Maybe they just answer No and note that it’s an insecure practice. :man_shrugging:

Where most strict does not equal most secure. :roll_eyes: I agree. It’s insane. More people need to push back on these check-the-box auditor “scams”. And the financial industry is just the worst… They’re the last to do MFA, etc.

Yes it does make you wonder, but from what I’ve been told, we process credit cards here through a third party portal, and that third party requires that we carry an active PCI compliance status. If I answer no to that question then Security Metrics will report that we are in a failing state and that CC processing company can choose to no longer provide us with that service. Perhaps Microsoft has that entire system completely isolated and those rules and regulations only apply to that specific network that is responsible for processing money. :man_shrugging:

We are way to small and I don’t have the resources to accomplish something like that and isolate the users/machines that process CC’s. Hell we only have one WAN link because anything over coax is too expensive for here. :man_facepalming: I remember the days when we had POS Partner ON SITE with stored CC numbers in the software and it wasn’t even encrypted! man things have changed.



1 Like

Right? I’m waiting till they let people name their kids with emoji.

Or license plates. Hate to be the police officer trying to remember that one as it speeds away.