Who wants to address this one?

  1. There are people who say "you don't understand security" if you say "password requirements are getting out of hand."

  2. no one likes when a website won't take the password they wanna have on their account and forces them to have a weirdo password

  3. Oh yeah? When i was in the military i was in supply MOS. i had about 10-15 different systems i had to access regularly. They all had reqs like this: At least 12 characters. 2 upper case 2 lower case 2 numbers 2 special characters No words longer than 3 letters Must update every 60 days Can't repeat any of your last 10 passwords Some even had: can't share more than 3 character string from last password I literally had a .txt file on my desktop with every password current and previous for every thing. Logging in to my machine only required my CAC and my 8 digit pin.

  4. Ooh bonus points if you can't use any characters other than letters, numbers, -, _, and like 1 more from the grab bag. Damnit man some of us paid for the entire ascII and are going to use the whole ascII

  5. Yeah I was gonna say I high key agree with her. I have never had my password guessed without some fucking site leaking it beforehand.

  6. Man if only sites would actually allow me to use that. In one service had a password of 12 words, which was just a couple lines of one of my favorite poems, altered slightly. Had no problems remembering the it

  7. I bet you had a similar password to the majority of the other users. Because that is the first thing that comes to mind with such an arbitrary requirement.

  8. Just make it a sentence. “Fatbottomgirlsyoumaketherockingworlfgoround90001” is going to take a hell of a long time to get brute forced and if the hacker has a way to get it then the size of your passcode wasn’t going to help in the first place.

  9. And that runs into something like "your password must not contain the same character more than twice"

  10. I have my password manager set up to generate complex passwords. What really grinds my gears are the sites that complain my password is too complex. "I'm not allowed to have a password longer than 8 chars and it can't use symbols???"

  11. My previous bank forced users to have an eight digits NUMBER as your password. And you could choose not to enable 2FA. Now at least 2FA is mandatory

  12. The worst one is changing my password every 3 months at work, which is somehow the standard nowadays it seems.

  13. I had a company that made me do that. If you still have to do this, show your IT guys the multitude of articles that say not to do this. Even the government knows better now:

  14. While the original comment makes no sense, now so many people have their passwords written on an email/notebook/text file because of this.

  15. Password managers with excellent UX seem like the only solution to me. And then security-audit the hell out of them constantly.

  16. "Your password must be 20 characters long, contain a capital letter, lowercase letter, two numbers, a special character, one Korean character, two Arabic characters, one of those weird accented ones from a European country of your choice, and at least one attempt at SQL injection."

  17. There have been studies done that show that extremely complex passwords aren’t even more secure anymore. No one brute forces, and one you hit a certain point of complexity it likely wouldn’t be worth the effort to brute force even if someone was to try.

  18. The modern NIST guidelines 800-63 does away with password complexity and aging entirely and simply says use MFA as they recognize that users are stupid and will still make easy for a computer to guess passwords.

  19. Top comment of the other thread already says "password manager" nothing needs to be addressed, teaching these people is wasted time

  20. Unpopular opinion: She's right. Not about "firewalls" somehow keeping hackers and phishers out since I wouldn't expect a layperson to know all the security terminology; but about companies doing more to secure their own websites instead of placing it all on users' password complexity.

  21. i feel like passwords are rarely brute forced these days because it would take too long because there are checks for incorrect passwords that alot of modern login forms have; they will block you for x amount of time or deactivate the account.

  22. The point of strong passwords isn't to block on-line brute forcing -- as you say, they have measures like blocking you after X failed attempts.

  23. yea that's the point of the hashes. Then you have experian, transunion, equifax, banks & sony getting hacked with their plain text passes.. so that doesn't help.

  24. I've got a pretty simple formula set up so all my passwords are created in the same manner, but so different they're near impossible to hack...that is until they ask for a special character and throw off my rythm.

  25. What I don't understand is with the prevolence (prevalence?) of biometric sign in options AND automatic sign in options, why do we even know our passwords anymore?

  26. And then you get an email saying you have to change your password from "Jennifer 1<3u" because of that rule and then you find out your girlfriend just dumped you that morning but didn't tell you yet.

  27. She raises a good point. The more complicated passwords are required to be, the less likely people are to use unique passwords, the more likely people are to write them down, and the more likely people are to forget them and need password reset functionality. Each of these are security risks in their own right.

  28. My password is usually just like a short sentence then 1234! At the end. That’s the only way I’ll remember it. Tried the thing where like you replace letter with numbers or symbols and always forget it

  29. Ok. Here goes. Your house needs a key. But the key is stuff you can type on a keyboard. You can't block the key hole, because that would block you, too. So how do you wish to proceed? We can let you use something easy to guess, but you'll blame us when your house gets robbed tomorrow, or we can make it slightly harder, and you'll still blame us when it gets robbed two weeks from now even though you've reused the same key for twenty years. You decide.

  30. I agree with her. Her position may not, exactly, be coming from a position of knowledge, but her sentiment and our mission remain the same. It's the user's job to use the system and it's our job as developers and IT personnel to secure it. Passwords are an outdated and inherently insecure means of securing a website or app. At the very least, for a password to be of any use today, it needs to be paired with some manner of two-factor authentication. Passwords are short, crappy, keys that are usually easy to guess given the stringent password schemes and the fact that people, unfortunately, routinely make passwords based on simple, easy to guess, trivia about themselves. We already have better solutions at our disposal and everyone will be happier when we get away from this decades old system of securing computers.

  31. got this recently. None of my super strong passwords work. Not even when doubled over itself. So I proceeded to bash my keyboard until character quota is met, and voila it worked! I saved it on an email somewhere, which beats the purpose of keeping the password safe.

  32. "somebody" should make a random password generator that uses random letters of random language characters. A/a B/b C/c is only 52 possible choices. Try and crack something in thousands per character lol

  33. I like the requirement of "EiGhT AlPhAnUmErIc ChArAcTeR AnD oNe SymBoL" is bs. Just give me a target entropy and I will use a random generated password or a passphrase.

  34. Password requirements are really just silly now. A minimum length makes sense, but to get into an account you need to know all the login information, which is why pairing with a username and password does actually help ... so long as the website doesn't get cracked.

  35. The easiest solution is to make OS's come with a password manager that encrypts your password inside your pc, make your email a password that is remembered but not easily guessed and then just randomly generate passwords and store them..

  36. My favorite rules come from a client of mine. We were talking one day about passwords and she laughed at me, then sent me their rules.

  37. I find it infuriating that there often are minimum password requirements anyways. Of course, I use safe passwords for all my main accounts, but especially when I just want a throwaway account or something like that, It's just annoying.

  38. I knew website which basically had password requirements like that, but then stored them in db in plain text form with 4 digit db password.

  39. Man, usernames and passwords are such a bad system. I would honestly go as far as to say that TOTP codes or other 2fa methods should become the primary login methods. If the password is memorable then it’s too easy to crack and if it’s sufficiently difficult to crack then it’s to hard to remember. Then they get written down or stored in a password manager where they can easily be found with the right social engineering.

  40. I almost guarantee even those who give advice on making good passwords doesn't actually follow their own advice. Long, random letters/numbers/symbols, different for every place, changed regularly and not written down anywhere? Anyone who can actually keep that much info in their head must have some amazing memory.

  41. Password managers are a thing, yes online ones are a single point of failure, but when there's only one password, you can expend all those neurons in trying to remember a 16 chars secure password

  42. Most advice on making good passwords that I have heard don't include almost any of that. Generally it seems to be to use password manager and come up with 1 strong password for it.

  43. It’s called paper. It’s this cool thing that can’t be hacked. All you do is write down - with a pen, to clarify - what your password is carefully and in print. Then, you don’t have to remember it! Wow!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed