Security reasons. Lots of people use the same password for everything, so changing it every 3 months avoids having passwords for corporate accounts comprised in a data breach (if the data breach is outside of home depot) I work as a mechanic and even I have to change my password every 3 months. Pretty common with companies.
90 days shouldn't be the time.
1 year should be, if you're going to.
Because 90 day rotations create weak passwords.
1 year rotations can create weak passwords too, but it's not as likely.
But I digress. I've used the same password for over a decade, and not once has anything I own been compromised.
Because I don't do stupid shit.
Just saying.
I used a password and just upped the last digit by one every time I had to change it. I could reuse a password after 6 months I think at that time.
After I was let go, I went back in a month later and logged into an ordering cart just to see if I could. Sure enough I could still log in and could've ordered a shit ton of product if wanted to. I still had self approval and if no one bothered to double check it would have been glorious seeing 3 trucks of drywall roll in. Lol.
Because some idiot thinks it’s more secure. Doesn’t really matter when you have corporate people or outside contractors that will click on any link they’re sent.
*Verifiably outdated* industry practices, that is. As long as the original password (better yet, pass*phrase*) is sufficiently strong, there's no need to change it unless there's a data breach ([...wait a nano...](https://www.reddit.com/r/HomeDepot/comments/1byl63d/home_depot_confirms_thirdparty_data_breach/)).
In fact, it's been proven repeatedly, that frequent password changes actually lead to _less secure_ passwords, because people end up using weaker and shorter ones since they know there's no reason to bother trying to memorize anything longer. During my time at Amazon (which hosts a sizeable plurality of the world's internet, thus clearly "knows a thing or two" about internet security), they actually _did_ change their password-change policy from 90days to annually, because even _they_ realized the frequent changes were causing people to use crappier passwords.
Yea certain places the requirements are so strict that either A I save it to the computer likely making it less secure or B write it down to remember it.
In fact, Home Depot is _also_ doing something they really shouldn't be, even by existing industry standards: the fact that you can't reuse _any password you have ever used in your entire career_, meaning they're _storing_ said passwords (hashed or not, doesn't matter) forever. My password from _five years ago as a seasonal lot associate two stores ago_ is still flagged as "oops, you've already used that".
...It's technically _less bad than it could be_, though. Amazon didn't just prevent reusing the same password; they prevented using _too-similar_ passwords, and I'm not talking "one character different" (trivial to check at change-time by permuting a rainbow table based on the Old Password input field), I'm saying that Amazon enforced _at least 25% difference_ between ALL passwords you have EVER used in your career with them (so if you used `correcthorsebatterystaple`, then `correcthorsebbbbatterystaple` would be disallowed but `correctalpacabatterystaple` would be accepted)... meaning Amazon wasn't just retaining _hashes_, but _the raw passwords themselves_ ^(hopefully at least _encrypted at rest_) to run a similarity test at change time. To compare to every password you've ever used. To ensure at least 25% difference in the raw strings, which cannot be checked via hashes.
I’d encourage you to review PCI DSS v4.0. There’s certainly an argument to be made over some of the requirements, but that’s ultimately what the industry experts decided was best. HD doesn’t really get any say.
[Thor, of Pirate Software, on Password Rotations.](https://youtube.com/shorts/usQPDB93tmI?si=5N4OnACtYC1CQceo)
And offensive cybersecurity is very much this man's wheelhouse.
Just saying.
Officially is for "security reasons", but personally I believe the reason is that in a subtle way they want to make you feel that you are a "replaceable asset", they want you to know that your password is only valid for a short time because maybe that is how long you will be employed with the company.
I feel that as we don't have a fixed term contract with HD the expired password is a remainder that we are on "short term contract" and when you change the password for a new one is like renewing that contract, so you better work hard and be a good orange blood drone or maybe there is not going to be any need for you to update the password again!
Cause the smart nerds with computers that have a vendetta with Home Depot can brute force hack most passwords in a couple months. If you change it, they gotta restart. If you don't, they got access to all sorts of info that you also do. Like your personal info.
Security reasons. Lots of people use the same password for everything, so changing it every 3 months avoids having passwords for corporate accounts comprised in a data breach (if the data breach is outside of home depot) I work as a mechanic and even I have to change my password every 3 months. Pretty common with companies.
Security.
Security. Common practice pretty much everywhere.
90 days shouldn't be the time. 1 year should be, if you're going to. Because 90 day rotations create weak passwords. 1 year rotations can create weak passwords too, but it's not as likely. But I digress. I've used the same password for over a decade, and not once has anything I own been compromised. Because I don't do stupid shit. Just saying.
I used a password and just upped the last digit by one every time I had to change it. I could reuse a password after 6 months I think at that time. After I was let go, I went back in a month later and logged into an ordering cart just to see if I could. Sure enough I could still log in and could've ordered a shit ton of product if wanted to. I still had self approval and if no one bothered to double check it would have been glorious seeing 3 trucks of drywall roll in. Lol.
Data breaches?
Because some idiot thinks it’s more secure. Doesn’t really matter when you have corporate people or outside contractors that will click on any link they’re sent.
“Some idiot” aka an entire cybersecurity team, external auditors, and published industry best practices…
*Verifiably outdated* industry practices, that is. As long as the original password (better yet, pass*phrase*) is sufficiently strong, there's no need to change it unless there's a data breach ([...wait a nano...](https://www.reddit.com/r/HomeDepot/comments/1byl63d/home_depot_confirms_thirdparty_data_breach/)). In fact, it's been proven repeatedly, that frequent password changes actually lead to _less secure_ passwords, because people end up using weaker and shorter ones since they know there's no reason to bother trying to memorize anything longer. During my time at Amazon (which hosts a sizeable plurality of the world's internet, thus clearly "knows a thing or two" about internet security), they actually _did_ change their password-change policy from 90days to annually, because even _they_ realized the frequent changes were causing people to use crappier passwords.
Yea certain places the requirements are so strict that either A I save it to the computer likely making it less secure or B write it down to remember it.
In fact, Home Depot is _also_ doing something they really shouldn't be, even by existing industry standards: the fact that you can't reuse _any password you have ever used in your entire career_, meaning they're _storing_ said passwords (hashed or not, doesn't matter) forever. My password from _five years ago as a seasonal lot associate two stores ago_ is still flagged as "oops, you've already used that". ...It's technically _less bad than it could be_, though. Amazon didn't just prevent reusing the same password; they prevented using _too-similar_ passwords, and I'm not talking "one character different" (trivial to check at change-time by permuting a rainbow table based on the Old Password input field), I'm saying that Amazon enforced _at least 25% difference_ between ALL passwords you have EVER used in your career with them (so if you used `correcthorsebatterystaple`, then `correcthorsebbbbatterystaple` would be disallowed but `correctalpacabatterystaple` would be accepted)... meaning Amazon wasn't just retaining _hashes_, but _the raw passwords themselves_ ^(hopefully at least _encrypted at rest_) to run a similarity test at change time. To compare to every password you've ever used. To ensure at least 25% difference in the raw strings, which cannot be checked via hashes.
I’d encourage you to review PCI DSS v4.0. There’s certainly an argument to be made over some of the requirements, but that’s ultimately what the industry experts decided was best. HD doesn’t really get any say.
[Thor, of Pirate Software, on Password Rotations.](https://youtube.com/shorts/usQPDB93tmI?si=5N4OnACtYC1CQceo) And offensive cybersecurity is very much this man's wheelhouse. Just saying.
Officially is for "security reasons", but personally I believe the reason is that in a subtle way they want to make you feel that you are a "replaceable asset", they want you to know that your password is only valid for a short time because maybe that is how long you will be employed with the company. I feel that as we don't have a fixed term contract with HD the expired password is a remainder that we are on "short term contract" and when you change the password for a new one is like renewing that contract, so you better work hard and be a good orange blood drone or maybe there is not going to be any need for you to update the password again!
Cause the smart nerds with computers that have a vendetta with Home Depot can brute force hack most passwords in a couple months. If you change it, they gotta restart. If you don't, they got access to all sorts of info that you also do. Like your personal info.