My work organization forces us to change passwords every 90 days. It also enforces rules that make tend to make the passwords we use hard to remember, forcing limits on character reuse, sequences, and requirements for special characters. It also won't let us reuse any of our past *ten* passwords, and it can tell if you are just making small adjustments. Password_1 going to Password_2 won't fly.
I sort of see the point. It is, after all, the password associated with our core corporate identity. We use it to sign in to just about everything, often including systems where we have privileged access. So nicking the password of the right people would be very powerful. Still, even half of 90 days is a long time to have someone's password, and most of the ways of getting it (malware installed via phishing) would probably be able to get the new one even if it was reset.
We can't install our own software on our PCs (for good reason) and there's no company package for a password manager. (There ought to be, IMO.)
I ended up finding a password pattern that I could memorize (through mnemonics) that met the password requirements. I also figured out how to mutate it very slightly each time I have to update it in a way which passes the history limits and is easy for me to keep track of.
I honestly have no idea what most people at my company do to manage their passwords. I'd bet money an awful lot of them write them down. Some I know are probably smart enough to use good password managers on their personal phones.
Biting the hand that feeds IT
