50 Password Policy Jokes Every IT Admin Has Lived

The policy requires a password change every ninety days. NIST stopped recommending that in 2017. The policy was last reviewed in 2008.

The reset email arrived at 4:58 on a Friday. The reset window is fifteen minutes. The reset password page requires VPN. The VPN requires a password.

Your new password cannot match any of the previous thirteen passwords. I have not had thirteen ideas since 2019.

I changed the password by one digit. The system rejected it as too similar. I changed two digits. The system accepted it. The system has opinions but no taste.

The password must contain an uppercase letter, a lowercase letter, a number, a symbol, and a small piece of your soul.

NIST removed the complexity-mix requirement seven years ago. My company added a second complexity-mix requirement last quarter to be safe.

The minimum length is twelve. The maximum length is twelve. The middle length is also twelve. There are no other lengths.

The form rejected my password because it contained a dictionary word. The dictionary word was the company name. The company name was on the login page.

Cannot contain your username. Cannot contain your name. Cannot contain your email. Cannot contain any string of three or more consecutive letters from any of the above. My password is now four random vowels.

Reset count this year, seventeen. Productive work hours lost to resets, also seventeen.

The helpdesk ticket to reset my password took longer than the project I was trying to log into.

I called the helpdesk to reset my password. They reset my password. They reset it to the company name plus 2020. The current year is 2020. The temporary password is also the policy violation.

The temporary password from the helpdesk expires in seven days. The forced reset on next login expires in fifteen minutes. Both clocks started at the same time. Only one was mentioned.

Forgot password emails go to the email address. The email address requires the password to access.

I rotated the last character of my password. The compliance dashboard turned green. The security posture did not change in any direction.

The rotation policy produced a stack of sticky notes shaped like a small building. The building had load-bearing walls of yellow paper and a roof of helpdesk tickets.

The 2020 NIST guidance said long passphrases beat random complexity. The 2020 corporate policy said no spaces in passwords.

My passphrase contained a space. The form ate the space and accepted the result. The result was now a one-word password. The form did not mention this.

Strong password, said the meter, while I typed the company name and the year. Weak password, said the meter, while I typed a forty-character passphrase.

Password strength meter went from red to green when I added an exclamation point at the end. Nine years of cryptanalysis research dismissed by one piece of punctuation.

The policy bans common passwords. The policy does not say what counts as common. The list is internal. The list has not been updated since 2014. Password123 is fine. Password124 is banned.

Password expired during a customer demo. Forced reset pulled the browser tab away mid-screen-share. The customer learned my new password by watching me type it.

The HR system password expires every sixty days. The HR system is used once a year. The math here is its own punchline.

The third-party vendor enforces a different rotation schedule than corporate. The SSO catches none of it. I now keep two calendars, one for work and one for resets.

The security awareness email said do not write down passwords. The security awareness email arrived on the same day the rotation policy required a new fourteen-character string with no reuse for two years.

Microsoft published guidance in 2019 telling admins to stop forcing periodic rotation. My admin printed it, read it, and filed it under interesting.

The policy committee voted to keep ninety-day rotation. The vote was unanimous. The committee included one auditor and zero practitioners.

The auditor said rotation is required by the framework. The framework said rotation is required if there is no other monitoring. The other monitoring existed. The auditor had not read past the first sentence.

Compliance requires the policy. The policy predates the compliance requirement. Nobody can find which order it happened in.

The shared admin account password rotates quarterly. The rotation is announced in a Slack channel. The channel has forty-six members and the message is pinned.

The service account password expired on Christmas Day. Production noticed first.

We rotate service account passwords manually, said the runbook, in a paragraph below the section where service account passwords had not been rotated since 2017.

The policy applies to all employees. The CEO has an exception. The CFO has an exception. The CTO requested an exception in writing and was told there are no exceptions, which is also in writing, attached to the exception list.

The lockout threshold is five failed attempts. The lockout duration is thirty minutes. The autocomplete on the login form remembers my old password and submits it twice on every page load.

The account got locked out before the user typed anything. The browser had three tabs open, each retrying a stale credential. The lockout was the only thing working as designed.

The forced reset page redirects to the dashboard. The dashboard redirects back to the forced reset page. The cycle ends when the session times out.

The password manager generated a forty-character string. The form accepted twenty-three characters and silently truncated the rest. The truncated password did not work on the second login. The form did not say why.

The password field has paste disabled. The IT security team said this is for our protection. Forty-character random strings are now typed by hand, four times each, until one of them lands.

Password field accepts paste. Username field does not. The username is my email. The email is fourteen syllables long.

Old policy banned passwords with repeating characters. I had to remove the second L from my last name. The HR system has stored my legal name as one L for a decade.

The policy banned the use of password as a password. It did not ban the use of Password. The shift key is now a security boundary.

Compliance dashboard shows ninety-seven percent of users have rotated within the window. The other three percent are service accounts that nobody is brave enough to touch.

The CFO uses the same password across forty-two systems. The policy committee discussed this in a meeting the CFO attended. The CFO chaired the meeting.

Single sign-on was rolled out to fix the password sprawl. There are now forty-three systems behind SSO and seven that are not. The seven are the ones I use.

SSO requires a password to sign in. The password rotates every ninety days. The original problem has been preserved in amber and renamed.

The new hire spent the first day setting up passwords. The new hire spent the second day resetting the passwords from the first day. The new hire spent the third day reading the password policy.

I left the company. My account is still active. The password has been rotated twice since I left. Somebody at the company is rotating it for me.

The shared mailbox password is in a Word document on a shared drive. The Word document is password-protected. The password is the same as the shared mailbox password.

The privileged access policy requires a separate admin account with a separate password with separate rotation. The separate password is the regular password with the letter A on the end.

The CISO presented a slide on modernizing password policy in line with NIST 800-63B. The next slide reiterated the ninety-day rotation requirement. The presentation was titled Looking Forward.