Hot take: password rotation rules are making things worse

I work IT for a mid-sized company in Austin and last quarter alone I reset 40 accounts because people wrote their new passwords on sticky notes under their keyboards. When I asked why, they said they couldn't remember a fresh 12-character string every 90 days. Has anyone else seen this backfire in their own workplace?

2 comments

2 Comments

martin.jamie3d ago

Dude yes, our accounting department is a disaster zone because of this. I had one lady who literally taped her password to her monitor bezel, and when I told her that was a security risk she just shrugged and said "what else am I supposed to do." We also had a guy who cycled through the same 3 passwords with just the number at the end changing every quarter, so password1 then password2 then password3 then back to password1. The help desk logs are full of "forgot password" tickets that spike every 3 months like clockwork. Its stupid because we're forcing harder passwords more often and people just end up with worse security habits.

gibson.oliver3d ago

Nailed it. The whole cycle is broken. Forcing people to change passwords every 90 days just trains them to be lazy. They pick the easiest thing they can remember. Password1 becomes Password2. It's like a game to them. The real problem is IT treats the symptom not the cause. Complexity rules plus rotation rules equals sticky notes on monitors. Every single time.