- cross-posted to:
- privacy@lemmy.ml
- cross-posted to:
- privacy@lemmy.ml
Largest Study of its Kind Shows Outdated Password Practices are Widespread::undefined
You must log in or register to comment.
The article focuses on password requirements that websites implement, not user behaviors. Common bad practices mentioned:
- Permit very short passwords
- Do not block common passwords
- Use outdated requirements like complex characters
- Do not block common passwords
Do you mean “not blocking common passwords”?
This implies that I can totally use “password1”
I copied the list straight from the article, so excuse the awkward phrasing. But yes, the implication is that you could totally use “password1” on some websites.
Password1! is out. passwordoneexclamationmark is in.
PassWordW0Nexclamationmark%%%
Pro password hours
That’s amazing! That’s the same password I have on my luggage!
Now that’s a pee four dollar sign dollar sign omega zero are dee right there
Largest study ever confirms something everyone has always known
Except infosec team
It is possible that you have a bad infosec team; however, it is more likely that they need to meet outdated compliance goals (SOC 2 comes to mind here).
Infosec is unfortunately a tricky balancing act of compliance, security, and usability.
Something something hunter2 ha ha ha it are funy
Why would you bother making a comment just to not say your password? All I see is stars.
hunter2
Wait it’s not working for me I can see my password
You must be a hacker then
That’s a pretty good password. Not *******, but the sentence as a whole.
So the combination is one, two, three, four, five. That’s the stupidest combination I’ve ever heard in my life! That’s the kinda thing an idiot would have on his luggage.
I am tired of websites imposing limitations on passwords, but not sharing what those are. I use a password generator, and rarely know if Unicode characters are allowed, if there’s a limit on the number of characters, etc.
I’ve come across websites where dashes “-” are forbidden. My banking website only allows a maximum of 16 characters. Sometimes there’s a note below the password box, sometimes they don’t tell you until your password fails, and sometimes they don’t ever tell you. If I don’t know what the restrictions are, I’ll end up throwing a cheap password at it until I can find out what’s acceptable.
Sometimes they change the requirements, so a password that once had symbols no longer works, and you can’t log in anymore.
Even better! They’ll sometimes tell you the wrong error message like my bank used to before they redesigned the front end and backend. I couldn’t change my password there for the longest time because it kept telling me my password was not between 5-8 characters long (yes it was). Turns out I couldn’t use a - in my password. I’m glad they finally updated to to a longer password but I still can’t use a - in my password.
Sometimes the limits they tell you are wrong. Sometimes they truncate your password without telling you. Sometimes the app has different requirements than the website.
Banking having the incredibly low character max is insane. I made a new account recently and I wanted to use the Bitwarden passphrase generation, but even 2 words could make it too long. Plus the push for 2 factor auth with everything including crap like streaming, except they just want to email me after I’ve given my very strong passwords already…
here is a tool, that helps with making secure passwords, that respect all the current and former best practices https://neal.fun/password-game/
Fun. Couldn’t get past rule 16 (chess).
I moved every piece to every spot they could go and couldn’t get it. Not sure what the right answer was lol.
🥚
Paul!
old phones last 4 ‘1234 5678’, transpose down a row or two ‘zxcv-ghjk’ used for years, np use a pw manager now. couldn’t tell even 1 pw
Passkeys and OTPs should be the new standard. Passwords are obsolete and passphrases are too hard for the average cumsoomer.
Yes. They really need to play hardball like they did with chip and pin credit card input.
(If your data is stolen and the vendor did not support chip and pin they were liable for the damages.)
God yeah I remember the 1990s 😂
