Broadcom Customer Care

Expand all | Collapse all

Broadcom Account Password Restriction Changes

  • 1.  Broadcom Account Password Restriction Changes

    Posted 04-13-2020 02:55 PM
    Edited by Heena Tabassum 04-13-2020 03:03 PM

    In order to protect Broadcom's IP and to improve security for our customers, starting from April 17th, 2020 the account password requirements will be changing.
    At present below are the password configuration requirements for Broadcom User account:
    • A password must be of least 8 characters.
    • A password must have a lowercase letter.
    • A password must have an uppercase letter.
    • A password must not have any parts of the username.


    As per new changes, a user's account password will be set to expire every 90 days and will require a reset before continuing to access their accounts. During resetting the password, a user cannot reuse the previously used 10 passwords.

    Change Summary:
    • Account Password Expiration – Every 90 days.
    • Cannot reuse previously used 10 passwords when resetting.
    • System will send "Password Expiration" notification informing users via their email.

    Click here for more details and if you need any help, please contact Customer Care Team by submitting your request using Customer Care Webform.



    ------------------------------
    Regards,
    Heena Tabassum
    Customer Care Community Admin
    Broadcom
    ------------------------------


  • 2.  RE: Broadcom Account Password Restriction Changes

    Posted 04-14-2020 02:56 AM
    Hello,
    Another help added to the ease of two-factor authentication. I have not found this level of security in any software provider. Not even my bank. I feel almost so happy and safe as Symantec customers.
    Regards.


  • 3.  RE: Broadcom Account Password Restriction Changes

    Posted 04-14-2020 06:04 AM
    Dear Broadcom.

    NIST, Microsoft, BSI, Apple and ​virtually everyone of rank in the IT world has updated their policies over the last several years to say that what you are implementing here under the guise of "security" is actually harmful to security. Enforced expiration is next to useless, enforced complexity only encourages cheap pattern passwords that no software can prevent. And the guy who came up with the password rotation pragma essentially appologized for it. This all should have been very straight-forward to google.

    Here's just a random result from Google that neatly summarizes the guidelines of the US authority on this stuff:
    https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

    And here's the authoritative source:

    https://pages.nist.gov/800-63-3/sp800-63b.html#sec5


    What you are about to implement are security guidelines of the last century (and it wasn't much common sense already back then to most people), and quite frankly it looks the part. You seem hell-bent on invonciniencing your user base, and your contributors any way you possibly can. I would ask you to reconsider if I had any hope a company would listen. Alas, I am just stating this as is.

    Thank you.

    ------------------------------
    These contain very good advise on asking questions and describing supposed bugs (no, you do not need to go to StackExchange for Automic questions, but yes, the parts on asking detailed, useful questions ARE usually relevant):

    http://www.catb.org/~esr/faqs/smart-questions.html

    https://www.chiark.greenend.org.uk/~sgtatham/bugs.html

    I will not respond to PM asking for help unless there's an actual reason to keep the discussion off of the public forums.
    ------------------------------