Related, some of these sites you forget what you used and have to create a new password - and some of them do this horrible "You cannot re-use your four last passwords" thing which leaves you in this sort of permanent "I'm never going to remember and always have to come up with something new" loop (for sites you go to only periodically, e.g. an HR portal, let's say). But hey, nothing important lives in an HR portal, right? :P
Employee of a university here. Not only are the password requirements annoying, unless you close the browser you aren't logged out. Clicking "logout" makes it look logged out, but the next person to use email/payroll enters their credentials and gets the prior users account. Hilarity ensues with people applying for each other's leave, emailing responses to messages that weren't for them etc. The interim response is for people to set a theme in their email to make it more dictinctly different. I kid you not.
Shibboleth user? I can't even imagine how difficult that kind of problem is when you're working with other people's software.
* Go to some service A.
* Get redirected to SSO and authenticate.
* SSO confirms your identity and A issues you a session token.
* You log out using your SSO.
* Go back to A where you're still logged in with your session token.
At a certain point I would not be willing to commit to maintaining lots of patches to every product we host and just tell our users to close their browser.
OMG very true. Often, it seems that all these password systems are designed for celebrities; maybe if there were teams of people working 24/7 to hack my account, then it would make sense.
