this post was submitted on 24 Jun 2024
431 points (98.0% liked)

Asklemmy

43943 readers
937 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] Bytemeister 33 points 5 months ago (37 children)

IT, more specifically user support.

Let's talk passwords. You should have a different password for every site and service, over 16 character long, without any words, or common misspellings, using capital, lowercase, number and special characters throughout. MyPassword1! is terrible. Q#$bnks)lPoVzz7e? is better. Good luck remembering them all, also change them all every 30 days, so here are my secrets.

1: write your password down somewhere, and obfuscate it. If an attacker has physical access to your desk, your password probably isn't going to help much. 2: We honestly don't expect you to follow those passwords rules. I suggest breaking your passwords down into 3 security zones. First zone, bullshit accounts. Go ahead and share this one. Use it for everything that does not have access to your money or PII (Personally Identifiable Information). Second zone, secure accounts, use this password for your money and PII accounts, only use it on trusted sites.Third, reset accounts. Any account that can reset and unlock your other accounts should have a very strong and unique password, and 2FA.

Big industry secret, your passwords can get scraped pretty easily today, 2FA is the barest level of actual security you can get. Set it up. I know it's a pain, but it's really all we've got right now.

[–] [email protected] 5 points 5 months ago (10 children)

This is a method I heard once for remembering random passwords that I thought was clever.

Create your own alphabet of words (or random characters). A is for Apple, B is for Boy, C is for Cat…etc.

For every letter in the URL, you use the word from your alphabet. Ex:

www.facebook.com

F = Fog, A = Apple, C = Cat, E = Egg, B = Boy, O = Off, O = Off, K = Kite

Next, you need a number if you didn’t use one in your alphabet.

Facebook is 8 letters long so I might use 8. Or only letters repeated once. Or maybe you use the whole URL. Up to you, but you do it the same way for every site. You create a patter that you follow and can remember, rather than remembering every password.

Need a symbol? Assign that to the top level domain. In my example, .com = # .edu = ? .org = * etc

Put it all together and my example password would be “8FogAppleCatEggBoyOffOffKite#”.

A password for google.com might be ‘6GolfOffOffGolfLogEgg#’.

Obviously, you don’t have to do it this exact way with the alphabet, number, and symbol. The idea is that you create a set of rules that you remember and follow. If you write down “A = Apple B = Boy…” and someone finds it, it won’t be instantly obvious that it is meant for passwords.

[–] [email protected] 26 points 5 months ago (5 children)

This is terrible. If someone gets a couple of your passwords it’s pretty easy to work out the patterns and gain access to your other accounts.

Don’t complicate it. Use a password manager. I know none of my passwords and that’s how it should be.

[–] patatahooligan 3 points 5 months ago (1 children)

For someone to work it out, they would have to be targeting you specifically. I would imagine that is not as common as, eg, using a database of leaked passwords to automatically try as many username-password combinations as possible. I don't think it's a great pattern either, but it's probably better than what most people would do to get easy-to-remember passwords. If you string it with other patterns that are easy for you to memorize you could get a password that is decently safe in total.

Don’t complicate it. Use a password manager. I know none of my passwords and that’s how it should be.

A password manager isn't really any less complicated. You've just out-sourced the complexity to someone else. How have you actually vetted your password manager and what's your backup plan for when they fuck up?

[–] [email protected] 1 points 5 months ago (1 children)

When Dashlane reports a breach. I change my passwords.

[–] patatahooligan 1 points 4 months ago (1 children)

So no vetting at all presumably since you didn't mention it? So how do you know that Dashlane is safer than a password scheme that might be guessed by someone after they've already compromised a couple of your passwords?

[–] [email protected] 1 points 4 months ago

Dashlane is pretty big and I’ve not seen any negative reports from security researchers. They offer bug bounties for people that do find vulnerabilities etc.

I believe the consensus is that password managers are better than any human password scheme. I could host my own manager but then there are more vectors for an attack, and why reinvent the wheel.

load more comments (3 replies)
load more comments (7 replies)
load more comments (33 replies)