this post was submitted on 27 Nov 2023
257 points (97.8% liked)

Technology

59578 readers
2784 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Largest Study of its Kind Shows Outdated Password Practices are Widespread::undefined

all 48 comments
sorted by: hot top controversial new old
[–] lolola@lemmy.blahaj.zone 110 points 1 year ago (2 children)

The article focuses on password requirements that websites implement, not user behaviors. Common bad practices mentioned:

  • Permit very short passwords
  • Do not block common passwords
  • Use outdated requirements like complex characters
[–] Kengaro0@lemmy.world 18 points 1 year ago (4 children)

Complex characters are outdated? It also refers to special characters but I guess that's what I was thinking of. So special characters are in, so what is a complex character then?

[–] 9point6@lemmy.world 55 points 1 year ago (2 children)

Length is the most important thing, everything else is somewhat secondary. We should be shifting thinking of this to passphrases rather than passwords.

I'm sure most of us have seen the "correct horse battery staple" XKCD, but that's what people really need to think of as passwords now, not my-favourite-celebrity-but-with-the-"e"-changed-to-"3"-and-an-exclamation-mark-at-the-end.

[–] wavebeam@lemmy.world 14 points 1 year ago (2 children)

Nah fuck that. Sites need to adopt this passkeys instead. It’s an impossible task for people to have unique credentials for every site, even if they are “memorable”. This is a design issue not a personal responsibility one. When designing for large volumes of people, you have to assume that the majority will do something easy and stupid over difficult and smart.

[–] GissaMittJobb@lemmy.ml 15 points 1 year ago (1 children)

Until they do, password managers get you most of the way there, by letting you have a single password on your side, mapping to one password for each login. Bitwarden is great, and free.

[–] laurelraven@lemmy.blahaj.zone 11 points 1 year ago

Bitwarden is the way

Sites need to stop needing an account for everything. My haveibeenpwnd is full of sites that I can't believe had my email in the first place. Obviously I gave it to them but like cmon

[–] FaeDrifter@midwest.social 2 points 1 year ago

Damn you my go-to password in the 2010's was "P4nc4kes!".

[–] errer@lemmy.world 13 points 1 year ago (2 children)

A character that extends outside the real number line

[–] Honytawk@lemmy.zip 5 points 1 year ago

My characters extends outside time and space.

Make for very secure passwords.

[–] cheese_greater@lemmy.world 2 points 1 year ago* (last edited 1 year ago) (1 children)

Thanks for this, I knew the concept but I've always had a hard time putting it to words. Yeah, its not like they increase the entropy or anything. Same with diacritics

Reminds me of when Michael tells Dwight he and Jim make different amounts: its not about higher or lower, its just different

[–] Claidheamh@slrpnk.net 4 points 1 year ago (1 children)

Either you or I got wooshed, cause I thought that was a maths joke, not actually an answer.

[–] cheese_greater@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

If your password is onky made up of numbers and there's no or a faulty anti-replay feature, you can just keep tryinguntil you iterate to the right password.

People used to do it with 4 digit PINs

[–] r00ty@kbin.life 6 points 1 year ago (1 children)

I think enforcing complex characters is outdated. Allowing them is enough, since someone brute forcing still needs to consider them. Of course they could try all lower, then mixed, then including complex characters in that order to catch those that don't. But still, it's better to have a password made up of compound words that is longer, than S0meth!ngV3ryC0nvolu73D. Or just pure random (aka password generator)

My main issue is places that have a maximum password length. This is firstly a limitation on security, but more importantly throws a red flag because of the potential reasons for having a password length limit!

[–] 9point6@lemmy.world 3 points 1 year ago

Depends on the limit really, if the limit is 32 characters or something like that, definite red flag.

If the limit is something like 250 or more characters, I'm more inclined to believe it's basic protection from all the things that can go wrong when someone repeatedly POSTs whatever the maximum amount of garbage that your server's request limit allows, at an API that performs cryptographic work.

[–] Potatos_are_not_friends@lemmy.world 0 points 1 year ago (1 children)
  • Do not block common passwords

Do you mean "not blocking common passwords"?

This implies that I can totally use "password1"

[–] lolola@lemmy.blahaj.zone 2 points 1 year ago

I copied the list straight from the article, so excuse the awkward phrasing. But yes, the implication is that you could totally use "password1" on some websites.

[–] anubis119@lemmy.world 54 points 1 year ago (3 children)

Password1! is out. passwordoneexclamationmark is in.

[–] Rai@lemmy.dbzer0.com 11 points 1 year ago* (last edited 1 year ago)

PassWordW0Nexclamationmark%%%

Pro password hours

[–] FlyingSquid@lemmy.world 6 points 1 year ago

That's amazing! That's the same password I have on my luggage!

[–] lolola@lemmy.blahaj.zone 4 points 1 year ago

Now that's a pee four dollar sign dollar sign omega zero are dee right there

[–] gregorum@lemm.ee 52 points 1 year ago (1 children)

Largest study ever confirms something everyone has always known

[–] ik5pvx@lemmy.world 15 points 1 year ago (1 children)
[–] austinfloyd@ttrpg.network 1 points 1 year ago

It is possible that you have a bad infosec team; however, it is more likely that they need to meet outdated compliance goals (SOC 2 comes to mind here).

Infosec is unfortunately a tricky balancing act of compliance, security, and usability.

[–] db2@sopuli.xyz 24 points 1 year ago (4 children)

Something something hunter2 ha ha ha it are funy

[–] EmergMemeHologram@startrek.website 30 points 1 year ago (1 children)

Why would you bother making a comment just to not say your password? All I see is stars.

[–] TonyToniToneOfficial@lemmy.ml 18 points 1 year ago (1 children)
[–] TonyToniToneOfficial@lemmy.ml 18 points 1 year ago (1 children)

Wait it's not working for me I can see my password

[–] eierkuchen@feddit.de 9 points 1 year ago

You must be a hacker then

[–] MushuChupacabra@lemmy.world 14 points 1 year ago (1 children)

Something something ******* ha ha ha it are funy

What does this mean?

[–] nailbar@sopuli.xyz 7 points 1 year ago* (last edited 1 year ago)

That's a pretty good password. Not *******, but the sentence as a whole.

[–] LillyPip@lemmy.ca 2 points 1 year ago

So the combination is one, two, three, four, five. That's the stupidest combination I've ever heard in my life! That's the kinda thing an idiot would have on his luggage.

[–] DemBoSain@midwest.social 23 points 1 year ago (2 children)

I am tired of websites imposing limitations on passwords, but not sharing what those are. I use a password generator, and rarely know if Unicode characters are allowed, if there's a limit on the number of characters, etc.

I've come across websites where dashes "-" are forbidden. My banking website only allows a maximum of 16 characters. Sometimes there's a note below the password box, sometimes they don't tell you until your password fails, and sometimes they don't ever tell you. If I don't know what the restrictions are, I'll end up throwing a cheap password at it until I can find out what's acceptable.

[–] altima_neo@lemmy.zip 4 points 1 year ago (1 children)

Sometimes they change the requirements, so a password that once had symbols no longer works, and you can't log in anymore.

[–] Nommer@sh.itjust.works 2 points 1 year ago

Even better! They'll sometimes tell you the wrong error message like my bank used to before they redesigned the front end and backend. I couldn't change my password there for the longest time because it kept telling me my password was not between 5-8 characters long (yes it was). Turns out I couldn't use a - in my password. I'm glad they finally updated to to a longer password but I still can't use a - in my password.

[–] numanair@lemmy.ml 4 points 1 year ago

Sometimes the limits they tell you are wrong. Sometimes they truncate your password without telling you. Sometimes the app has different requirements than the website.

[–] bort@feddit.de 18 points 1 year ago (3 children)

here is a tool, that helps with making secure passwords, that respect all the current and former best practices https://neal.fun/password-game/

[–] kambusha@feddit.ch 7 points 1 year ago (1 children)

Fun. Couldn't get past rule 16 (chess).

[–] June@lemm.ee 2 points 1 year ago

I moved every piece to every spot they could go and couldn’t get it. Not sure what the right answer was lol.

[–] m3t00@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

old phones last 4 '1234 5678', transpose down a row or two 'zxcv-ghjk' used for years, np use a pw manager now. couldn't tell even 1 pw

[–] Etterra@lemmy.world 8 points 1 year ago

Just string a a few random words together, L337 up a few of them, tack on a random number or two, and throw in a punctuation mark somewhere. Then write them down in a little physical notebook.

[–] Sanctus@lemmy.world 6 points 1 year ago (1 children)

Passkeys and OTPs should be the new standard. Passwords are obsolete and passphrases are too hard for the average cumsoomer.

[–] bitwolf@lemmy.one 2 points 1 year ago (1 children)

Yes. They really need to play hardball like they did with chip and pin credit card input.

(If your data is stolen and the vendor did not support chip and pin they were liable for the damages.)

[–] Mr_Blott@lemmy.world 1 points 1 year ago

God yeah I remember the 1990s 😂