I started using a password manager for a lot of my passwords. Works pretty well, it’ll generate criteria matching passwords for me. Also functions as a list of websites I’ve created accounts with.

Forgetting it?? All you have to do is scribble it on a little slip of paper in your top drawer like 90% of people do. Very secure.

And if you don't forget it, you'll use a simple one that's easy to guess or contains common substitutions, p@$$w0rd!. And then when you do forget it you'll call support who will reset it, and they get so many calls it will make taking over another account easier.

In case you haven't already seen it yet there's The Password Game to drive this point home

Use a password manager my guy

Perfect security. Nobody can access.

That's on your IT department.

Well, it's also on Microsoft for selling their "modern" security theater bullshit to every IT department in the country while not designing it in a sensible fashion or working with third parties to provide meaningful alternatives to the Microsoft branded shit every employee will soon be required to install on their personal devices...

But that's also on your IT department for not warning you or allowing you to keep the SMS/phone verification as a backup for these exact situations. Those aren't depreciated yet, but some companies have let Microsoft's recommend security practices (co-written by their sales team) scare them into downright idiocy.

As someone in IT, here's what you do: Next time that sort of thing happens, just reach out to them immediately and have them reset everything. They may get annoyed, but you know what? They shouldn't be. It's more secure to have an employee call in every single time they need to change a password or re-authenticate a device. It's inconvenient, unnecessary, and downright annoying, wasting everyone's valuable time, but hey....it's more "secure'. If it's more secure, you aren't allowed to be against it.

you and @CodingCarpenter@lemm.ee must use the same system.

0118 999 881 99 911 9725 3

13 digit pins? You mean my phone number and birthdate?

I’m in this boat and I hate it.

All I know is the mortgage servicing company I use seems to have started ~3 month interval, that they don't say (no second factor available either). When I went to pay my internet bill, I get greeted with a message "you're passwords been reset". I'm stubborn and I was just using those sites to pay bills, so now I just don't log in to those anymore.

Insurance, and government need to catch up to the research. For sites that support them, I really like the Yubikey as a second factor.

What about when you go and log in tomorrow?

I don't have any first hand experience, but anecdotes I hear, Medical and Banking have some of the worst password/security practices.

I’m IT in a company that has this policy. Blame the cyber insurance.

Mine went to once a year for most systems. There is probably an external requirement somewhere that says they need to be changed periodically and once a year is the lowest frequency they can do.

A password manager does nothing to stop Social engineering and human factors on the provider side.

I use a password manager, but I can't realistically use one on my work computer, because the computer is locked. You want me to open my password manager on my phone and try and type it in?

Yeah, I'm gonna continue to use the bare minimum password that meets the requirements knowing full well it can be brute forced in under 5 minutes.

Sadly, I can't use a password manager to unlock my windows on my work pc.

You still need a password on your password manager, and that needs to be protected.