There is also use a password manager and reset the password everytime because the site blocks them and locks it out.
I have relatively long Passwords, because why not, and had problems with pages restricting the number of characters you can enter in the login window, but not the registration window. Or restricting password length and cutting your password off, but not telling you about it, so you gotta figure out that they set the first 30 characters of the saved password as your password.
Always fun to deal with. I could make it a lot easier for me by just using shorter passwords, but I think deep down I’m a masochist.
I have relatively long Passwords, because why not
Typos is why I don’t make mine longer or more complicated.
Bitwarden inserts them automatically, and if I ever have to do it manually for some reason, it just doubles the fun. Hasn’t happened to me yet, though.
That strongly depends on whether you are allowed to copy and paste:-)
If I can’t paste my password I will almost always choose not to use the site, if I have the option. I can’t understand why they would prevent that.
I have several password manager plugins installed on my browser, along with the built-in password managers in the browser and the OS itself, because I like seeing them all fight over the password field.
The worst version of this I’ve ever seen is a site that enforced a password policy on the “current password” field on the “change password” interface. I had an existing password that violated their policy (either because they changed the policy or a technician created a “temporary” password for me, I forget), and I could not change it to a proper password because my current password would get rejected.
deleted by creator
We have the worst password policy I’ve ever dealt with at my current employer.
My bank has, for being a bank, very very bad character support. Best thing is, I’m basically gonna work for that bank.
For years my bank only allowed numerical passwords. The maximum length was 8.
They changed it somewhat recently.
me when my bank is less secure than a fucking door lock
But they had a strict lockout policy, right? Right?
One of the largest banks in Australia (Westpac) used to require passwords to be exactly 6 characters (no more, no less) and they were case insensitive. It also had a fun ‘denial of service’ attack built-in: If you got it wrong three times, it’d lock the account and force you to go to the bank to unlock it, meaning anyone that knew your bank username could lock you out of your account and cause some pretty big headaches. Fun.
In fact, I’m not sur whether they ever fixed this. Haven’t used their services in a long time.
The highly regarded password policy of my last employer was one of the many things that pushed me over the edge and made me leave for greener pastures. I had to manage something like 9 different passwords, with the main one having changed to 16 chars min with all of the usual number/symbol/CAP requirements.
My employer software has us log in with just our password, no username. I don’t know exactly what’s going on in the backend but I know I don’t like it.
Create a new account every time?
Change password every day, and the required password length and complexity increases each time you change your password.
Bitwarden has a password generator that you can set criteria for, been really helpful with one of my janky logins
Password game irl
Ah yes, they’ll never obtain my password if not even I know it.
Forgot to add “Add a comma in your password, so if the all the user logins get leak, it will destroy the CSV file it gets uploaded to”.
It won’t destroy the .csv file, but your (below standard) client might have issues reading it. That woman from The Office knows those are not the same thing.
Add a drop table statement to it while you’re at it
Whenever I feel that my passwords are insecure, I offer them a few encouraging words.
Hey, unrelated question, what’s the mother’s maiden name of your password?
If I told you, then my password would be insecure. You see, that’s a sensitive case for them.
I like the DocuSign model. Just focus on securing your one account (email) and then make all the others use it as single factor.
Until you get locked out of your email account and can no longer access anything. This happens all the time with freemail (Gmail, Hotmail, Yahoo, etc) accounts.
The contents of mails also shouldn’t be considered secure. I like the idea of doing proper SSO through an email provider though - for example, using OIDC (OpenID Connect).
If websites could just remind me on the login in screen what their password requirements are that would help me a LOT.
So many times I start going through the “forgot my password” steps and then when I see the password requirements are “at least 10 characters long with 2 unique symbols” I remember what it was and can go back and log in.
Listing those requirements up front would make things way easier for brute force attackers
Brute Force attacks haven’t been effective for decades. Not since they implemented delays between attempts and times outs/lock outs for too many failed attempts.
Listing those requirements up front would make things way easier for brute force attackers
They list all those requirements when you try to create an account. If anyone wants to try to brute force they already have that info.
Fun fact: it would take about 37 billion years on average (at current (known) tech) to brute force a 16 character alphanumeric password which uses uppercase ie. using at least one of each of a-z,A-Z,0-9
Adding special characters would not make it easier. A trillion years seems like a long time. (Unless your password is ThisIs4Password!)
https://www.komando.com/wp-content/uploads/2021/03/Passwords-chart-970x510.jpg
If you brute force using single iterations of all possible combinations sure. But people don’t do that. They use fully readable passwords and letter substitutions. This makes dictionary attacks viable. There are a known number of readable words and phonetic combinations that are significantly easier to brute force. And also the vast majority of numbers are also guessable because most numbers are dates. Series of 2 or 4 or 8 numbers to form important dates means there are lots of numbers between 1940-2024. People don’t usually unconditionally random alphanumeric passwords. Therefore peoples passwords will never be fully secure against sufficiently advanced brute force methods.
Also, online logins should lock you out temporarily after a few failed attempts anyway, making brute force a complete non issue.
Also also, if you’re going to try to brute force someones pw, you would just look up the requirements beforehand anyway.
Or just use a password manager and solve that problem yourself right now forever.
But don’t use lastpass, they are the most popular, and with the largest breach history. In fact, if you are capable of the admittedly high bar of self hosting, use bit warden instead.
In fact, if you are capable of the admittedly high bar of self hosting, use bit warden instead.
Vaultwarden, typically, because it’s fully free and more resource efficient. But bitwarden as the client of course.
Why? Bitwarden has a free tier you don’t have to self host
But don’t use lastpass, they are the most popular, and with the largest breach history.
This is exactly why I don’t want to use a password manager. Storing all my passwords in one place online doesn’t exactly sound secure.
Right? I’m right with you. I keep a password book I can lock up in the safe. No online hacker can get to that.
I use a pattern relative to the site name, with a different email address for every site also relative to the site name. The pattern means the password is always different but I always know that it is.
I would rather recommend using KeepassXC, and storing and syncing the database with your other devices using Syncthing. Supereasy to set up, and works flawlessly with my pc and my phone.
KeepassXC has nice features like global autotype btw, so for webpages i can insert my payment information with one hotkey. no need to save your CC in your browser.
Sign a random string with your private key to be verified by a public key on server.
You’re describing Passkeys/WebAuthN
Can you send the link for it? I was unaware of this.
Just need a password to sign now. 🥲
For any self-hosted services you use, run something like Authentik and configure all the apps to use it for auth via OIDC (OpenID Connect). Makes the experience a lot nicer, instead of every service having its own separate user system.
I use Keycloak at work. How does Authentik compare?
I’ve never tried Keycloak so I’m not sure, sorry.
One feature Authentik has that I don’t think Authelia nor Keycloak support is operating as an LDAP server. With Authelia at least, you have to run a separate LDAP server if you need LDAP. With Authentik, it’s built in.
I guess I’ll have to do the research myself. Ohh bother. I can tell you that Keycloak can use a postgresql db or ldap but it is not built in. I honestly really dislike LDAP though. It’s an old protocol that has terrible client support and the only real reason to use it imo is if you need to support really high number of users and traffic, like in the millions.
You still want a local account though. Learnt that the hard way.
Why? In case authentik goes down, so you can recover data? Or something else?
I am settting up authentik and other selfhosted services right now and my plan was for authentik to have all the accounts.
Bitwarden is your friend.
One of each please.
i do 2 and 3
Good security with easy recovery! Amazing!
My father does that by adding pepper in his password manager. And having a shitty one word master password. The whole thing is both needlessly convoluted and poorly secured. It’s fucking atrocious.
If the password database is just locally stored/accessed, then it’s still not as bad. Usually password compromising happens because an online service gets hacked or has a bug. That’s why it’s bad to use the same password multiple times. The biggest risk of having the personal machine targeted directly is via scams or other social engineering attacks. And if your dad fails those, then a strong master password wouldn’t make a difference.
It’s synced between a number of machines via a cloud provider. Not sure which one. So there’s a faint risk of having the online archive expised, as those things do happen on occasion.
If you think about it the last option is a way to use login via 2fa
Nah it’s just SFA with extra steps.
Magic link login with extra steps
This is more correct
But you only need one factor, access to your inbox?
So it’s more like SSO authentication
SSO without 2FA
Shit, are we getting to that point where all non-password logins are “2fa” like how all denial of services are “DDoS”
Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email’s inbox )!
… Its still a shit security design. Better to have username, pass and a security key hehe
Hmh, I guess, though I feel this is a bit more complicated. What if you can look up the username in the registration mail sent to the inbox? Or it’s a site that uses email addresses as usernames? Is it knowing if said knowledge is inferrable from the thing you have?
I think you got it wrong what i meant (?)
Imagine i register on a website with my username ( DacoTaco ) and email ( someEmail@domain.com ). When i want to reset my password and click the “forgot password” link, it would ask my username, not my email address (something i know) and send me an email ( to someEmail@domain.com ) without reporting what email it sent it too. That way it could be considered a separate identity factor i think (access to the mailbox, something you have ).
Websites generally dont work this way, i know. But thats how id implement it :')Thanks for clarifying. I was mostly trying to apply that scenario to a likely real world one, but there’s definitely cases in which it could be two factor.
It’s all good until you get into a dependency loop with your email account passwords needing resetting, that have the email from the other account that needs resetting :P
That’s easy, just create new accounts every time you login.
And everything is done in Tails.
