An Open Letter to Organizations with Sh!tty Password Policies

 Dear Organization with a shitty password policy,

The year is 2022 and you still haven't learned (from readily-available lists of 600M+ exposed passwords, other companies' breaches, and your own recent breach) that your password policy is a dried-up, crunchy, desiccated piece of suburban-backyard dogshit. The year is 2022 and you're still using short passwords that expire soon after being set. You insist on 8-character passwords that expire every 30-90 days because you can't trust your employees and/or customers to be responsible adults. You insist on 8-character passwords that expire every 30-90 days, and your end users hate your IT department and the computing environment as a whole for this one simple reason. They have to keep changing their weaksauce passwords before they can commit them to memory. And when a botnet invariably cracks one of your user's passwords in under 24 hours, your end user has to change it again... if you even have any logging detection systems in place to alert you to an issue with an end user's account (*cough* #5 in this post *cough*).

The year is 2022 and you continue to ignore the penetration testing company telling you every year that your policy is outdated and insecure, and that you should switch to a 15-character minimum that only needs to be changed every 365 days. You ignore the pleas of your end users every time they call the help desk for password reset help, as they complain about needing to change their password so frequently. You ignore the fact that you've never taken a moment's time to set up a password checker that prevents exposed passwords from being used in your environment, which is one of the few things that can salvage your 8-character minimum.

Every day that you allow to pass without taking security seriously is a day that you keep yourself wide open to attacks and breaches. And with your horrible password policy, Marie in Accounting, Tim in Sales, and Morgan in HR are going to keep setting variations of "Fall2021" over and over, because you're too soft to make anyone else take their human firewall responsibilities seriously. 

What's worse is when you have smaller partner organizations that, for whatever reason, have to sync their Active Directory environments with yours and your shitty 3rd party sync tool that you use (instead of a more sane trusted domain relationship) can't handle multiple different password policies. Congratulations! Your unwillingness to take cybersecurity seriously has just affected one or more other organizations, because now your partners need to adopt your shitty password policy or else get stuck dealing with password policy conflicts that just frustrate everyone.

Let's be realistic here and understand that humans will be humans, and tend to take the path of least resistance when it comes to setting passwords. You need to be realistic and understand that your 8-character minimum is going to be treated as an 8-character maximum. Few people are going to put in the effort to come up with anything better if you don't ever push them to do so.

Again, the year is 2022. We're in "the future", and password policies need to reflect that.

So change your shitty password policies, or people like me will keep writing letters and scathing emails to you until you do.


Monica at