[niffiwan]

Two factor auth is good & I recommend using it where you can, but it's still fallible unfortunately.  And I believe (although I can't find a link at the moment) that it's possible to intercept SMS's, or use social engineering on your Telco to transfer your number to a new SIM.

[Klaustrophobia]

greeted by the following new asinine password requirements when logging in to check my pay stub today

The PASSWORD MUST:

    be 15 to 30 characters in length
    contain at least two uppercase letters (A-Z)
    contain at least two lowercase letters (a-z)
    contain at least two numbers (0-9)
    contain at least two of the following special characters: # @ $ % ^ ! * + = _
    change at least four characters from your previous password

The PASSWORD CANNOT:

    contain spaces
    be one of your last ten previous passwords

The PASSWORD will expire in 60 days.


the government is ****ing retarded.  thank you for guaranteeing i have to write down my password.  oh, and these are a completely DIFFERENT set of requirements from the four or five other various government websites i have to use regularly.

[deathfun]

What in the actual ****
All they're forgetting is security questions you have to answer each time you log on
Oh, and those also expire every 60 days

[niffiwan]

I've worked with (not at thankfully) companies that set the password expiry time to 30 days 

[Nuke]

twofactor can burn in hell with the rest of the internet. obligatory nuke all the things.

greeted by the following new asinine password requirements when logging in to check my pay stub today

The PASSWORD MUST:

    be 15 to 30 characters in length
    contain at least two uppercase letters (A-Z)
    contain at least two lowercase letters (a-z)
    contain at least two numbers (0-9)
    contain at least two of the following special characters: # @ $ % ^ ! * + = _
    change at least four characters from your previous password

The PASSWORD CANNOT:

    contain spaces
    be one of your last ten previous passwords

The PASSWORD will expire in 60 days.


the government is ****ing retarded.  thank you for guaranteeing i have to write down my password.  oh, and these are a completely DIFFERENT set of requirements from the four or five other various government websites i have to use regularly.

government websites in general suck. as a result i deal with the government entirely in paper. i like to use totally unreadable fonts, to match my equally unreadable penmanship. the best thing is no ****ing passwords. i particularly hate alaska's fish and game website. it never works. i have filled out my deer harvest reoprt for last year 3 times now, it says it goes through fine, but they still send be the yellow cards that say i didnt file it. only reason i didnt send paper was because i lost the form and couldnt find the pdf on the internet. so bomb the **** out of bureaucrats with actual bureaucracy.

[The E]

The PASSWORD MUST:

    be 15 to 30 characters in length

okay

    contain at least two uppercase letters (A-Z)

okay

    contain at least two lowercase letters (a-z)

right

    contain at least two numbers (0-9)

makes sense

    contain at least two of the following special characters: # @ $ % ^ ! * + = _

I suppose

    change at least four characters from your previous password

wat

This raises so many questions regarding the implementation of the password query....
If they're using a sane system, said system must (not can, MUST) be unable to make that determination. So assuming they do, this is a requirement that humans have to execute, and can thus circumvent.
If they don't, if their password storage is so bad that this kind of thing can be verified automatically, well, you (and they) are ****ed, cos there's a hole in the security a mile wide.

The PASSWORD CANNOT:
    contain spaces
    be one of your last ten previous passwords

Again with the what. Must be unique across x iterations I can sort of understand, but cannot contain spaces? What kind of bull**** input routines are they using?

The PASSWORD will expire in 60 days.

Riiiiight

[Klaustrophobia]

---------- thought better of posting -----------

suffice it to say that the alternate logon method completely undermines the PW system anyway (but saves my ass from having to use it).  but i don't really need to go sharing details of that on the open internet.