this post was submitted on 27 Oct 2023
1189 points (97.9% liked)

Memes

45581 readers
1 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 6 years ago
MODERATORS
 
top 50 comments
sorted by: hot top controversial new old
[–] Holzkohlen@feddit.de 101 points 2 years ago (5 children)

The only good passwords are those you don't know yourself because they are randomly generated and all stored in your password manager of choice.

[–] PieMePlenty@lemmy.world 54 points 2 years ago (3 children)

Until some locked down tv/console type device asks me for a password.

[–] vsis@feddit.cl 10 points 2 years ago (6 children)

I use an off-line libre password manager for several bad designed goverment stuff that only accept numbers as passwords or don't allow to paste it.

It's not that hard and I easily get used to it. I read it, type it and forget it again.

load more comments (6 replies)
load more comments (2 replies)
[–] tilcica@lemm.ee 15 points 2 years ago (1 children)

depends on the password manager....

also, the length of the password is WAY more important than it being randomly generated as long as it's not in a password dictionary somewhere. I use 20+ character passphrases that i can easily remember everywhere for instance

[–] MrVilliam@lemmy.world 9 points 2 years ago (5 children)

My strategy is to have a persistent short passphrase that's within every password I use, and pair it with a silly bastardization of the service I have an account for. So, for example, if my passphrase were hunter2 (lol) and I had an account on Netflix, my password for Netflix might be something like hunter2NutFlex. Because of this, I can manage my own passwords in basic text as "code NutFlex" because the "code" portion is encrypted in my own fucking brain. If Netflix gets hacked, somebody has a password that only works with Netflix, and they'd need my text file as a Rosetta Stone to acquire my other passwords. Not impossible, but who the fuck am I and why would anybody dig that deep to do that to me?

I'm no IT expert, so somebody tell me if this is a stupid and overly vulnerable strategy. I thought I was pretty brilliant for coming up with this and rolling it out several years ago.

[–] tilcica@lemm.ee 7 points 2 years ago

i am an IT person (wouldnt say expert) and i do this. password cracking time is based on the number of characters, not the type of char so you can do "abcdefghijk" and it will be more secure than "_a;" (both are still weak but my point stands)

all of this can be broken if you just use common passwords or plain english words since those are broken with dictionary attacks

load more comments (4 replies)
load more comments (2 replies)
[–] Kedly@lemm.ee 31 points 2 years ago* (last edited 2 years ago) (3 children)

Counterpoint: Password Manager = One point of failure

Multiple Strong Passwords that have to be changed every 3 months even to sign on to your cornerstore rewards program without a password manager? Guess you're never accessing any account older than 3 months because you've forgotten th3 b1lli0n$ oF s+r0ng p4s5w0rds Y0u h4Ve cr3atEd!

[–] Catsrules@lemmy.ml 21 points 2 years ago (1 children)

Actually you are the single point of failure

https://xkcd.com/538/

[–] Kedly@lemm.ee 6 points 2 years ago

I mean yeah, the security benefit from being un-notable isnt negligible

[–] FakinUpCountryDegen@lemmy.world 10 points 2 years ago (3 children)

That's...not a counterpoint.

You can have strong authentication on your central password manager, and have an encrypted container protecting it.

There is no logical argument against password vaults as a concept. There are bad implementations of specific password vaults, but a password vault is the answer for the highest possible password based security available in 2023.

load more comments (3 replies)
[–] 0xD 9 points 2 years ago* (last edited 2 years ago) (1 children)

Okay and now let's get into threat modelling and risk management.

What is the purpose of a password manager? What are the possible threats against them, and what are those against singular passwords for services? What is the risk of each of those?

[–] Kedly@lemm.ee 7 points 2 years ago (4 children)

Guys, before you argue with me, password security is something that EVERYONE in the 1st world has to deal with, not just tech nerds. If you need to grow up around computers or take a class for it to be a good form of security, its a shit form of security for the general public

load more comments (4 replies)
[–] kamen@lemmy.world 30 points 2 years ago (3 children)

Imagine a site telling you "Sorry, you can't use asdf123 as your password: you've already used it on that other site".

[–] FakinUpCountryDegen@lemmy.world 6 points 2 years ago

It would be better if you had a local tool telling you that - one that you control and only exists on your personal devices, kind of like secure messaging platforms such as Signal.

Another great later would be for all compromised passwords found in breaches to never be usable anywhere ever again, thus helping to thwart the most common form of breach we see today: credential stuffing.

load more comments (2 replies)
[–] The_Eminent_Bon@lemmy.world 27 points 2 years ago (1 children)

So your password is cardboard fort?

[–] KnowledgeableNip@leminal.space 33 points 2 years ago (2 children)
[–] remotedev@lemmy.ca 19 points 2 years ago (1 children)
load more comments (1 replies)
[–] MrVilliam@lemmy.world 6 points 2 years ago

That's amazing! I've got the same ~~combination~~ password on my ~~luggage~~ account!

[–] GissaMittJobb@lemmy.ml 20 points 2 years ago (4 children)

Just use a password manager, then you get the benefits of having a single password to remember without the security-related downsides.

[–] Rubanski@lemm.ee 18 points 2 years ago (4 children)

I never got over the fact that I somehow need to trust to an absurdly high degree a proprietary software to store ALL my passwords. Is this really a good idea?

[–] Aicse@lemmy.world 20 points 2 years ago (6 children)

You can use KeePass, but you'll have to figure out a way to have your password vault available on other devices (can do it by using any cloud shares, i.e. GDrive). This way you'll be in charge of almost every aspect of your passwords. But you'll have to take care of backups and keep everything in sync.

[–] Viking_Hippie@lemmy.world 11 points 2 years ago (3 children)

KeePass

I'm sorry but no. I'm physically incapable of not moving the capital letter one space and I'm not entrusting my passwords to what I've irrationally decided IS named KeepAss. I just can't.

[–] Amaltheamannen@lemmy.ml 12 points 2 years ago

I like Vaultwarden. Open source rust server compatible with bitwarden.

[–] kjo@discuss.tchncs.de 9 points 2 years ago

And then there's KeePassXC.

Get it? Keep-Ass-Sexy :)

https://en.wikipedia.org/wiki/KeePassXC

[–] Honytawk@lemmy.zip 7 points 2 years ago (1 children)

Just imagine keeping your passwords in your ass and you should be fine.

load more comments (1 replies)
load more comments (5 replies)
[–] vsis@feddit.cl 9 points 2 years ago (8 children)

There are libre off-line password managers. Variants of Keepass for example.

Indeed it's a bad idea to store passwords in a propietary system. Specially a cloud based one being hacked time to time, like 1password.

load more comments (8 replies)
load more comments (2 replies)
[–] Mr_Dr_Oink@lemmy.world 8 points 2 years ago (6 children)

So all my passwords are locked behind a single password? Isnt this essentially the same as using the same password for every site. In that they only need to cracl o e password to have access to everything?

[–] Pfnic@feddit.ch 7 points 2 years ago

In theory, yes but if you use a good password manager and have a strong master password the encryption should be practically impossible to break. The fact that you only have to remember one password means that this password can and should be a very strong one. 20+ characters with upper and lowercase letters, numbers and symbols should take centuries to crack.

[–] baatliwala@lemmy.world 6 points 2 years ago* (last edited 2 years ago) (2 children)

You should be safe as long as your master password isn't small, less than 15 characters. The longer the password, the better. Personally what I do is use a pass phrase to make it easily memorable, and then use it as a base to inflate security somewhat artificially.

Wrap the pass phrase around in brackets or symbols; mix lower/upper case; replace (or add to) a word in your pass phrase with one from a random other language, so instead of hello you type bonjour. Bonus points if you are able to replace even a few letters in your pass phrase with fancy diacritics, or fuck it add an emoji or two.

Then again there are a LOT of other factors which go into security. Theoretically the lyrics of song are decent as a pass phrase but there's not much point if everyone knows what your favourite song is, or if you are learning Spanish then you'll replace the English words with Spanish.

Unless you're in a position where you're targeted by nations or are working extremely high profile jobs like CEO or digital security you should be safe really with all these but as I said there's a lot to keep in mind.

load more comments (2 replies)
load more comments (3 replies)
load more comments (2 replies)
[–] youngGoku@lemmy.world 17 points 2 years ago

It was literally a battle for me to have a strong unique password for our baby monitor... Wife was not happy about that but I came out on top.

[–] Paradachshund@lemmy.today 16 points 2 years ago (7 children)

Everyone talks about password managers these days, but isn't that telling the hackers exactly where to go to get all your passwords? Seems like a much higher chance of catastrophic failure to me if you have a single point of entry.

[–] moonmeow@lemmy.ml 17 points 2 years ago (6 children)

Yes that's definitely a concern to keep in mind.

The problem is that if someone doesn't use a password manager they're morenlikely to reuse weak ones.

Using a password manager is a better path, as long as there is awareness on how to keep it secured.

load more comments (6 replies)
[–] Hexarei@programming.dev 11 points 2 years ago (12 children)

Only if you're using a third-party password manager, rather than something stored/managed locally.

load more comments (12 replies)
[–] Fiivemacs@lemmy.ca 8 points 2 years ago (1 children)

I just use a password manager for my password managers password manager. 2fa on all of em. Takes me forever to login

[–] Paradachshund@lemmy.today 6 points 2 years ago (3 children)

I dunno, doesn't sound like enough layers to me. We can go deeper

load more comments (3 replies)
load more comments (4 replies)
[–] Agent641@lemmy.world 10 points 2 years ago* (last edited 2 years ago) (1 children)

I've actually come up with a way to have a complex and unique password for each service which is also resilient againt forced password changes, doenst require a password manager, and if Im being tortured I still wont be able to tell them what it is because I dont know it unless Im at the login screen. If the service changes the layout of their login screen though, Im fucked.

[–] mac12m99@feddit.it 7 points 2 years ago (1 children)
[–] BigBlackCockroach@lemmy.world 7 points 2 years ago (1 children)

It must be some sort of compression algorithm of the information presented at the log-in screen.

[–] ours@lemmy.world 14 points 2 years ago (8 children)

If they change/rebrand the login he's screwed. Just use a password manager people.

load more comments (8 replies)
[–] clanginator@lemmy.world 8 points 2 years ago* (last edited 2 years ago)

I came up with a formula for my passwords - as easy to remember as a single password and makes a unique login for every site feasible without a password manager. Can be updated as often as you like and all you gotta do is remember the latest version of the formula. At the very least, the hashes will be different and it'd take someone having more than two of my passwords to figure out the pattern.

I also use over 100 email aliases with my own domain name so that my most important accounts have a separate login that isn't a common domain that wouldn't be easy for someone to guess.

It would take a lot of concentrated effort for someone to get at any of my important accounts, and even my less important ones would be pretty difficult to get into even if multiple accounts are compromised, due to using a smaller pool of aliases under common domains for less important accounts.

Someone got into half a dozen of my accounts a few years ago and I finally started taking security seriously.

[–] ReaperWithASniper@lemmy.world 6 points 2 years ago

This meme couldn't explain it better - a strong password crumbles like a cardboard castle when used across multiple sites. Nails the message to the T.

load more comments
view more: next ›