• Holzkohlen@feddit.de
    link
    fedilink
    arrow-up
    33
    ·
    1 year ago

    The only good passwords are those you don’t know yourself because they are randomly generated and all stored in your password manager of choice.

      • clb92@feddit.dk
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Well that’s on you then.

        1. Keep encrypted backups of your password database, so that you can migrate to something else if you need to.

        B. Make sure to have your password database synced to your phone or accessible in some other way when you’re out and about.

        III. If purely offline and local password manager with no syncing, have a way for a trusted person to be able to access it, if you need them to.

        • Lastly, attempt to not suffer memory loss and forget your main credentials to the password manager.

    • tilcica@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      depends on the password manager…

      also, the length of the password is WAY more important than it being randomly generated as long as it’s not in a password dictionary somewhere. I use 20+ character passphrases that i can easily remember everywhere for instance

  • kamen@lemmy.world
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    Imagine a site telling you “Sorry, you can’t use asdf123 as your password: you’ve already used it on that other site”.

  • ReaperWithASniper@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    1 year ago

    This meme couldn’t explain it better - a strong password crumbles like a cardboard castle when used across multiple sites. Nails the message to the T.

  • Agent641@lemmy.world
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    edit-2
    1 year ago

    I’ve actually come up with a way to have a complex and unique password for each service which is also resilient againt forced password changes, doenst require a password manager, and if Im being tortured I still wont be able to tell them what it is because I dont know it unless Im at the login screen. If the service changes the layout of their login screen though, Im fucked.

  • GissaMittJobb@lemmy.ml
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    Just use a password manager, then you get the benefits of having a single password to remember without the security-related downsides.

    • Rubanski@lemm.ee
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      I never got over the fact that I somehow need to trust to an absurdly high degree a proprietary software to store ALL my passwords. Is this really a good idea?

      • vsis@feddit.cl
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        There are libre off-line password managers. Variants of Keepass for example.

        Indeed it’s a bad idea to store passwords in a propietary system. Specially a cloud based one being hacked time to time, like 1password.

      • ClamDrinker@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        It’s the choice between trusting one company (or if you self host, trusting yourself) to have their security all in order and properly encrypt the password vault. Using one password for every site you use means that you have to trust each of those sites equally, because if one leaks your password because they have atrocious password policies (eg. storing it in plain text), it’s leaked everywhere and you need to remember every place you used it before.

        Good password managers allow audits, and do at times still get hacked naturally (which isn’t 100% preventable). Yet neither of these should result in passwords being leaked. Why? Because they properly secure your master password so it can’t be reverse engineered to plain text, and without the master password your encrypted password vault is just a bunch of random bytes. And even in the extreme situation it did, you know to switch to a better password manager, and you have a nice big list of all the places where you need to change your password rather than trying to remember them all.

        Human memory is fallible and we want the least amount of effort, because of that we usually make bad passwords. Your average site does not have their password security up to date (There’s almost a 0% chance not one of your passwords can be found here). If you data is encrypted accordingly, it doesn’t matter if it gets leaked in any way or stolen by some rogue employee, so long as they do not have your master password. So yes, I’d say that’s a good idea.

  • Paradachshund@lemmy.today
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    1 year ago

    Everyone talks about password managers these days, but isn’t that telling the hackers exactly where to go to get all your passwords? Seems like a much higher chance of catastrophic failure to me if you have a single point of entry.

    • moonmeow@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      Yes that’s definitely a concern to keep in mind.

      The problem is that if someone doesn’t use a password manager they’re morenlikely to reuse weak ones.

      Using a password manager is a better path, as long as there is awareness on how to keep it secured.

  • newIdentity@sh.itjust.works
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    Not really though. Once the password has been leaked, it needs to be cracked. And that usually doesn’t happen when the password is strong enough.

    Except the password wasn’t hashed but then the company belongs to get sued to bankruptcy

    • randombullet@feddit.de
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      That’s also assuming they used proper salts and a strong hashing algorithm.

      Also MITM and or phishing attacks are not super common but can also depreciate your common password very quickly.

      Always layered defense. If it’s not 1 thing, it could be another.

      Unique passwords are just one facet on a multi-layered security defense.

      • Blackmist@feddit.uk
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I think phishing is by far the most common way to get passwords.

        I saw a guy at work fall victim to one. Looks like it’s from some customer he knows, links to document on Office365 or similar, enter username and password and swearing because it’s “lost them”.

        I went, “What URL is that?”

        He looked at his screen for a second. “Fuck.”

        “How many passwords have you given it?”

        “My work ones and my bank ones.”

        “Better change those then, hadn’t you?”

    • Tartas1995@discuss.tchncs.de
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      That is a really bad take.

      The meme is expressing that a strong password is a lot worse when reused.

      Even if one agrees with your take, the meme is accurate.

      But your take is really bad because “it needs to be leaked and cracked” ignores so many alternative ways to steal passwords. Xxs keylogger, mitm, phishing… And some of these attacks are making it really difficult or unlikely to succeed. E.g. the chance of a phishing email for your bank or apple icloud is much more likely than a phishing email about e.g. your babyphone. Segregation of accounts is also important because obviously if you use the same password 30 times, then there are 30 places to leak your password and some might use md5.

  • not_that_guy05@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    I just use engine model codes and body series# with special characters. Most of them are not even from the same vehicle so I doubt any one can remember. Shit sometimes I even forget what engine I coded with a certain vehicle. And then I get the you “can’t used the same password” which was enter previously to login.

  • Kedly@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    1 year ago

    Counterpoint: Password Manager = One point of failure

    Multiple Strong Passwords that have to be changed every 3 months even to sign on to your cornerstore rewards program without a password manager? Guess you’re never accessing any account older than 3 months because you’ve forgotten th3 b1lli0n$ oF s+r0ng p4s5w0rds Y0u h4Ve cr3atEd!

    • 0xD@infosec.pub
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      1 year ago

      Okay and now let’s get into threat modelling and risk management.

      What is the purpose of a password manager? What are the possible threats against them, and what are those against singular passwords for services? What is the risk of each of those?

      • Kedly@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        1 year ago

        Guys, before you argue with me, password security is something that EVERYONE in the 1st world has to deal with, not just tech nerds. If you need to grow up around computers or take a class for it to be a good form of security, its a shit form of security for the general public

        • Comment105@lemm.ee
          link
          fedilink
          arrow-up
          0
          arrow-down
          1
          ·
          1 year ago

          I’ve had security fatigue for years now. I’m sure most of you have. I’ve written down so many usernames and passwords and it’s still not half of what I have, and to top it off, several of the written passwords are now wrong after obligatory password changes and I don’t remember the new ones.