|
|
|
Passwords
- Thread starter Wingboy
- Start date
Trials
Well-known member
So you should not have your username and password written on an 8x10 sheet of paper hanging over your work desk?
I actually seen that in a hospital once.
Ya paper records are much better, I seen a banker box full of patient medical records blowing across a public parking lot once too.
I actually seen that in a hospital once.
Ya paper records are much better, I seen a banker box full of patient medical records blowing across a public parking lot once too.
Or just go the other direction. No technology. My bil will drive 40 min to pay a bill and has never used an atm. He is executor to his dad's estate and has "lost" two cheques already. He won't trust the atm, so he puts them in the night depository.duh. If he has to go into a bank, he has to go home and lie down after. Stressful!
Too many double edged swords. Easy to remember therefore easy to guess. When a hacker gets into a poorly secured forum all they can usually do is cause embarrassment. However if that same password is also used for banking they have the master key to everything you do.
Seniors have the added problem of the whachamacallit disease and juggling a dozen passwords changed on a regular basis isn't all that simple.
Cheques leave the user a paper trail but also leave it for everyone, account info plus sample of signature.
Personally I prefer the old way but I can't fit seven chickens and two dozen eggs into an envelope for Virgin Mobile.
I have different passwords for almost everything. I reuse a few common passwords for junk accounts (places that have no useful data on me for instance if I signed up for a newspaper online). For accounts that I use reasonably often in multiple locations (for instance netflix), I use diceware so they are almost impossible to crack but easy to remember. For accounts I care about and would be an issue if compromised (for instance email or dropbox) I remember long complicated passwords. For all other accounts (for instance online stores), the passwords are unique to each site, stored in a well-encrypted vault and I have no idea what they are. I have to look them up every time I use them.
I'm with Brian P. Most password policies are the worst thing that has happened to security. They encourage (and in some cases basically require) bad password management to try to stay on top of your constantly changing complicated password.
I'm with Brian P. Most password policies are the worst thing that has happened to security. They encourage (and in some cases basically require) bad password management to try to stay on top of your constantly changing complicated password.
GreenPlane
Well-known member
It's always about convenience.. if systems will require to change passwords often then there is a big chance that people will just change "qwerty" to "qwerty1" and so on.
I switched many years ago to a password manager like LastPass with YubiKey. I have no idea what my passwords are and they are either max allowed or 64+ characters. Each site has a unique and strong password and it gives me comfort at night.
I've recently forced my parents to switch to a password manager as well because of many reasons (e.g. you can configure emergency access if needed). They didn't like the idea but now they are pretty happy with it.
They are very easy to use and you can choose how much security or comfort you want (e.g. I don't have autosuggestions/autofill enabled). Of course, there is this trust issue with the password manager. You basically need to choose one that you trust and preferably the one which wouldn't able to restore access to your vault if you forgot the master password. Also, I would say that you do need at least 2FA enabled for the passwords managers. Pls, don't rely only on a master password as it can be compromised e.g. by a key logger.
I switched many years ago to a password manager like LastPass with YubiKey. I have no idea what my passwords are and they are either max allowed or 64+ characters. Each site has a unique and strong password and it gives me comfort at night.
I've recently forced my parents to switch to a password manager as well because of many reasons (e.g. you can configure emergency access if needed). They didn't like the idea but now they are pretty happy with it.
They are very easy to use and you can choose how much security or comfort you want (e.g. I don't have autosuggestions/autofill enabled). Of course, there is this trust issue with the password manager. You basically need to choose one that you trust and preferably the one which wouldn't able to restore access to your vault if you forgot the master password. Also, I would say that you do need at least 2FA enabled for the passwords managers. Pls, don't rely only on a master password as it can be compromised e.g. by a key logger.
2fa is another good idea but password manager plus mobile devices plus 2fa makes an annoying but still insecure loop. Recently crooks have been cloning sims to get access to 2fa codes. If you have a code changing keychain, that is a great device that really helps lock things down.
FWIW, in the past, the vast majority of password managers stored the database either in the clear or with crap encryption. People need to make sure they do their research to make sure they arent setting up the equivalent of a password.txt file on their desktop.
The password manager I use has a recovery key with ~20 words (similar to cryptokeys). If you choose to use this, keep that piece of paper very secure as it is the keys to the castle.
GreenPlane
Well-known member
Yeah, 2fa via text messages are not very secure options nowadays. I personally use MS Auth + Authy apps on my phone (configured to ask Face ID or PIN each time opened).
YubiKey or other FIDO/WebAuthn/etc devices are great alternatives to a code changing keychain. It basically works in a similar way just using modern standards and many applications support them (including modern browsers). + YubiKey has 2 slots that can be programmed and triggered independently and they work on mobile devices as well!
And I totally agree about passwords managers. Every person needs to do research first and make sure that they trust their provider. This system will have basically keys to your life..
Side Note:
Yes, added security can be inconvenient. E.g. even if a site doesn't support 2FA you might need to click on your password manager which will ask your password then FIDO key and/or 2FA code and only then fill the credentials if the domain matches the records.. But you don't need to have it configured like this for everything. E.g. in order to access this forum I don't need to use FIDO key if I'm signed in into my password manager but it is a different story if I need to access something important.
Inconvenience? Yes.. but just imagine, no need to remember any passwords for any sites and it is actually cool to use a physical device to sign in, no?
|
|
|
|
|