You are correct.

For anyone else unaware, the schtick of the account was they’d always rate dogs with ratings of x/10 with x always being greater than 10. It was pretty funny how often people would get upset over this.

What you want is NIST 800-63b https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret

Specifically sections 5.1.1.1 and 5.1.1.2.

Excerpt from 5.1.1.2 pertaining to complexity and rotation requirements:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Appendix A of the document contains their reasoning for changing from the previous common wisdom.

The tl;dr of their changes boil down to length is more important than any other factor when it comes to password security.

Edit to add:

In my personal opinion, organizations should be trying to move away from passwords as much as possible. If your IT team seems to think this system is so important that they need to rotate passwords every month, they should probably be transitioning to hardware security tokens, passkeys, or worst case, password with non-sms MFA.

Now I know nothing about the actual circumstances and I know there are plenty of reasons why that may not be possible in this specific case, but I’d feel remiss if I didn’t mention it.

This is what I grew up calling it was well.

Any organization still doing this is a decade behind best practices. NIST published new recommendations years ago that specified getting rid of the practice of regular forced password resets specifically because they encourage bad practices that make passwords weaker.

Of course it doesn’t help that there are some industry compliance standards that have refused to update their requirements, but I don’t know of any that would require monthly password changes.

They actually have a fairly comprehensive training program setup through their “University.” They also mix in foreign contractors, usually from China.

My dad cracked three ribs while surfing in his 20s. He caught a wave much larger than normal, fell off his board near the top and landed flat on his back.

My sister actually gave my daughter this book when she was young. I thought it was good stuff.

https://www.akpress.org/aisforactivist.html

Real answer for anyone curious, he’s using one of these.

https://en.m.wikipedia.org/wiki/Strigil

I almost did before the outage. Their pay was pretty low compared to similar positions at other companies though.

This is something I worry a great deal about for my kid.

They’re about raising the sarcophagus. Those things can be heavy.

This was the first song I downloaded on Napster. It will always hold a special place in my heart for that reason.

Took several hours on the dialup I had at the time.

One of my favorite T-shirts. https://www.teepublic.com/t-shirt/23763923-utc-or-gtfo

(I am not affiliated in any way with this shop)

How are you preparing these? They look delicious!

To give you a slightly more serious answer, there’s a trope in America of the girl friend’s dad doing something to “subtly intimidate” the boy friend by casually cleaning a gun or having one within sight the first time they meet. The implication of course is supposed to be something along the lines of “I’ve got this and if you try anything funny with my daughter, I’ll use it on you”

It’s dumb but I’ve also known more than a few people who have experienced this first hand.

I had no idea it was still going. I used to binge these working midnight shifts in the NOC.

So did most of my friends, but I checked multiple times and confirmed that I had nothing. I would have been a lot less annoyed with them if I had received an email and missed or ignored it. For whatever reason, the notifications never made it to me.

I’m one of those people. I haven’t played in years. I may never have played again. I only found out because my daughter is now at an age where she asked if we could play together. I received no notice from Microsoft and I don’t do social media so it was a complete surprise to me when I couldn’t log in, then find out through their support that I had lost access to something I had legally paid for.

One of the best bosses I ever had once told me that people will stay for the culture but leave for money. His philosophy was to try and ensure that money was not a factor in people’s decision, then build as good a culture as he could.

And to be clear, by making money not a factor, I mean he paid well.