435
What industry secret are you aware of that most people aren't?
(programming.dev)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 24 Jun 2024
435 points (98.0% liked)
Asklemmy
42608 readers
833 users here now
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- [email protected]: a community for finding communities
~Icon~ ~by~ ~@Double_[email protected]~
founded 5 years ago
MODERATORS
IT, more specifically user support.
Let's talk passwords. You should have a different password for every site and service, over 16 character long, without any words, or common misspellings, using capital, lowercase, number and special characters throughout. MyPassword1! is terrible. Q#$bnks)lPoVzz7e? is better. Good luck remembering them all, also change them all every 30 days, so here are my secrets.
1: write your password down somewhere, and obfuscate it. If an attacker has physical access to your desk, your password probably isn't going to help much. 2: We honestly don't expect you to follow those passwords rules. I suggest breaking your passwords down into 3 security zones. First zone, bullshit accounts. Go ahead and share this one. Use it for everything that does not have access to your money or PII (Personally Identifiable Information). Second zone, secure accounts, use this password for your money and PII accounts, only use it on trusted sites.Third, reset accounts. Any account that can reset and unlock your other accounts should have a very strong and unique password, and 2FA.
Big industry secret, your passwords can get scraped pretty easily today, 2FA is the barest level of actual security you can get. Set it up. I know it's a pain, but it's really all we've got right now.
This is a method I heard once for remembering random passwords that I thought was clever.
Create your own alphabet of words (or random characters). A is for Apple, B is for Boy, C is for Cat…etc.
For every letter in the URL, you use the word from your alphabet. Ex:
www.facebook.com
F = Fog, A = Apple, C = Cat, E = Egg, B = Boy, O = Off, O = Off, K = Kite
Next, you need a number if you didn’t use one in your alphabet.
Facebook is 8 letters long so I might use 8. Or only letters repeated once. Or maybe you use the whole URL. Up to you, but you do it the same way for every site. You create a patter that you follow and can remember, rather than remembering every password.
Need a symbol? Assign that to the top level domain. In my example, .com = # .edu = ? .org = * etc
Put it all together and my example password would be “8FogAppleCatEggBoyOffOffKite#”.
A password for google.com might be ‘6GolfOffOffGolfLogEgg#’.
Obviously, you don’t have to do it this exact way with the alphabet, number, and symbol. The idea is that you create a set of rules that you remember and follow. If you write down “A = Apple B = Boy…” and someone finds it, it won’t be instantly obvious that it is meant for passwords.
This is terrible. If someone gets a couple of your passwords it’s pretty easy to work out the patterns and gain access to your other accounts.
Don’t complicate it. Use a password manager. I know none of my passwords and that’s how it should be.
For someone to work it out, they would have to be targeting you specifically. I would imagine that is not as common as, eg, using a database of leaked passwords to automatically try as many username-password combinations as possible. I don't think it's a great pattern either, but it's probably better than what most people would do to get easy-to-remember passwords. If you string it with other patterns that are easy for you to memorize you could get a password that is decently safe in total.
A password manager isn't really any less complicated. You've just out-sourced the complexity to someone else. How have you actually vetted your password manager and what's your backup plan for when they fuck up?
When Dashlane reports a breach. I change my passwords.
So no vetting at all presumably since you didn't mention it? So how do you know that Dashlane is safer than a password scheme that might be guessed by someone after they've already compromised a couple of your passwords?
Dashlane is pretty big and I’ve not seen any negative reports from security researchers. They offer bug bounties for people that do find vulnerabilities etc.
I believe the consensus is that password managers are better than any human password scheme. I could host my own manager but then there are more vectors for an attack, and why reinvent the wheel.
I Guess we already have a couple of his passwords ... Good job man, Sorry whats your name ?
Not bad, but I could see that creating passwords that are too long for some systems, and it would be vulnerable to dictionary attacks. Also, what would you do when the site requires a password reset?
Maybe do your strat, but only do every other, or every 3rd letter as a short word, and use a Caesar cipher, incrementing the cipher once each time you have to reset? Sounds kinda fun, but I don't think most sane people would do that... Open to ideas though.
I've come across several sites with abhorrently short password limits, as low as 12.
Worse, 2 of them accepted the longer password, but only saves the first n characters, so you can't log in even with the correct password, untill you figure out the exact max length and truncate it manually.
Even worse, one of those sites was a school authentication site, but it accepted the full password online and only truncated the password on the work computer login. That took me an entire period to suss out.
You just gave me a flashback to a system I encountered as a student where my password got truncated, so I couldn't log in. I had to ask the teacher what to do, expecting her to have access to a reset or something, but she just told me what my password was. It was like 3 and a half words, clearly truncated and stored in plain text.
I personally just use a pw manager. If I used them system myself, the alphabet words would probably be strings of characters that aren’t real words and I’d probably salt them too. But yeah I imagine you could run into size limits, which is a problem.
I just wanted to share a pw strategy that seemed interesting. I used a simple pattern to make the concept easier to understand.