• rmuk@feddit.uk
    link
    fedilink
    English
    arrow-up
    144
    ·
    1 year ago

    Outsourced IT provider here:

    90% of businesses have basically zero IT security. Leaked passwords in regular use and no process or verification for password resets. As soon as someone complains that 2FA or password rotation is difficult it gets dropped. Virtually all company data is stored on USB keys, plaintext hard drives and on staff’s personal home devices.

    The reason they’re not constantly having their data stolen is because no-one cares about the companies either.

    • Cryophilia@lemmy.world
      link
      fedilink
      arrow-up
      37
      ·
      1 year ago

      Isn’t password rotation a horrible practice because it makes people use passwords like “MyNewPassword15” since it’s the 15th password reset they’ve been forced to do?

      • notatoad@lemmy.world
        link
        fedilink
        arrow-up
        12
        arrow-down
        1
        ·
        edit-2
        1 year ago

        password rotation is generally not considered a “best practice” but not doing something because it’s not a best practice is only a good strategy if you’re actually going to follow the best practices. password rotation is less effective than a good password manager and long randomly generated passwords that are unique to each site. requiring passwords be rotated can be an impediment to using strong unique passwords, which is why it’s not a good practice.

        but a freshly rotated “MyNewPassword15” is a million times better than your password being “password”, or being the same thing you use on every sketchy website whose database has been breached a dozen times.

      • fakeaustinfloyd@ttrpg.network
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        Password rotation for your “emergency” system account (the one that shouldn’t be root) still needs to be rotated every time someone with access leaves or changes job roles.

      • Okalaydokalay@lemm.ee
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        That and users will begin writing down this month’s password on a sticky and you’ll be lucky if they hide it under their keyboard. Most users will stick it to their monitor and that’s lucky considering some users will write “outlook password”, “quick books password”, etc.

        Best to only reset when it’s been confirmed the password has been compromised and the password should be locked down to a MFA token of some kind, preferably app based, not SMS based.

    • Flying Squid@lemmy.world
      link
      fedilink
      arrow-up
      29
      ·
      1 year ago

      We have a custom backend website I have to log in for my work. You don’t have to use a password, just an email address. The only “security” is it’s on a weird URL that people wouldn’t likely know if they weren’t given it.

    • Aux@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      Password rotation is very insecure. No one should be doing that. I also hate when companies set maximum length for a password, like 12-16 characters. Bitch, my 32 character password is much more secure!

    • Supertramper@feddit.de
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      I believe Microsoft’s 365 platform helps a lot in that matter. Even without any security strategy or custom configuration M365 offers a better security level than those businesses could ever reach themselves.

    • Uriel238 [all pronouns]@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      6
      arrow-down
      7
      ·
      1 year ago

      Which might explain why medium sized companies that are not completely clean-nosed are happy to run Windows 10 with all its spyware elements running unregulated.

      It’s also terrible in the government sector, which is why the NSA’s huge database on US internet traffic is accessible to rivals like Russia, Iran and China.