It’s similar in IT. Almost no one recommends regular password changes anymore, but we won’t pass our audit if we don’t require password changes every 90 days.
“We recommend updating your password every 90 days!”
Why, you haven’t lost it recently, have you?
I never understood why this caught on, you even see it recommended for personal applications… which is just stupid. The only reason it existed in the first place is because of concerns of shoulder lookers.
Same vibe as management buying Oracle products because it’s “trustworthy”.
When we first switched to JD Edwards, it still sent the passwords in plain text, and our Oracle partner set up our weblogic instances over http instead of https.
I had to prove I could steal passwords as just a local admin on a workstation before they made encrypting the traffic a priority.
👀 lookin’ at you, alpha=.05
