I tried to change my password today on a contractors portal. My password is 20 characters long. It's pretty strong as far as I am concerned. So I enter a new one and what do I get?
The password does not meet the minimum requirements: password length cannot be less than 15 characters and greater than 50 characters and password must have 1 character of each of the following character types: upper case letter, lower case letter, number, symbol. In addition, your new password must be different than the previous 10 passwords, must have at least 4 characters different than your most recent password and cannot be changed more than once in 24 hour period.
That's a long message saying my password is not secure. What is particularly interesting?
must have at least 4 characters different than your most recent password
Yup, that's the fun statement that says all passwords on this system are reversible. Maybe they use CryptDB ? I don't really know, but I highly doubt it. Yet, all of the password "strength" mumbo-jumbo you throw at your password system means very little if the passwords are reversible. I suppose this was more clever US Cyber Security Guidelines advice. Who is in charge of that again??