The Lounge is rated Safe For Work. If you're about to post something inappropriate for a shared office environment, then don't post it. No ads, no abuse, and no programming questions. Trolling, (political, climate, religious or whatever) will result in your account being removed.
It's just like the change your password every 30 days policy I have at work.
It means that everyone picks a password then simply increments a number at the end of every 30 days.
This means that if anyone cracks your password without you realising - they can hack your account well into the future.
Security measures should be there to slow down unauthorised access and as you have pointed out some modern security practises have actually decreased security.
“That which can be asserted without evidence, can be dismissed without evidence.”
For that reason we have the policy that your new password must be at least x% different from your old password...
But I've seen the increment as well.
In one such scenario I've even seen that an entire team got one account to access some server.
Every month the person who changed the password would send out an email saying "the new password increment is now 19" (this was important, because after 3 failed attempts you'd be blocked and in for a world of pain trying to get it back).
Speaking of Windows, to change the password you have to provide the current, as well as the new password. I suspect the comparison is done at this stage, because storing non-hashed passwords (at least in AD) supposes to settle a special policy, which fortunately is not applied by default.
"I'm neither for nor against, on the contrary." John Middle
I once created a really long password using all the allowable characters. When it came time to change it, the new password was rejected because it had too many of the same characters as the previous one. If the sysadmin had not been able to override that rule, I'd never have been able to use that system again.
A study was done a number of years ago regarding password complexity. The finding was that as complexity increases, security is reduced - because people have to write their passwords down in order to remember them, thus completely defeating the security that the demanded complexity affords.
I got you beat though - along with the complexity requirements (at least 16 characters, no more than three consecutive letters or numbers, must include numbers, a mix up upper and lower case letters and special characters, no group of letter can create a word, and every time you change it, it can't be more than 50% similar to one of the last 10 passwords you used), my employer forces a password change every 15 days.
This is done for our time sheet app. I mean seriously - WTF!? My strategy is to simply create a GUID in Visual Studio and submit it until one passes their absurd validation, and then save it in a text file.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
I did that last time, made a screenshot of the form with four(!) questions and answers and saved it in a folder on my desktop.
Couldn't care less if that account got hacked, jokes on the hacker, the customer account is now yours I don't want anything to do with it!
I recall not too long ago, a bank I wanted to use to transfer money to another person demanded I identify myself. A list of ridiculous questions appeared, including a demand that I identify the current address of my ex-wife. We split 30 years ago and I haven't heard (thankfully) since! Morons everywhere, and we let them program computers and vote!