Last password will fail on every site thst doesn’t do password recovery. Might be more than he expected
We have the worst password policy I’ve ever dealt with at my current employer.
My bank has, for being a bank, very very bad character support. Best thing is, I’m basically gonna work for that bank.
For years my bank only allowed numerical passwords. The maximum length was 8.
They changed it somewhat recently.
One of the largest banks in Australia (Westpac) used to require passwords to be exactly 6 characters (no more, no less) and they were case insensitive. It also had a fun ‘denial of service’ attack built-in: If you got it wrong three times, it’d lock the account and force you to go to the bank to unlock it, meaning anyone that knew your bank username could lock you out of your account and cause some pretty big headaches. Fun.
In fact, I’m not sur whether they ever fixed this. Haven’t used their services in a long time.
But they had a strict lockout policy, right? Right?
me when my bank is less secure than a fucking door lock
Create a new account every time?
Change password every day, and the required password length and complexity increases each time you change your password.
Password game irl
Bitwarden has a password generator that you can set criteria for, been really helpful with one of my janky logins
My employer software has us log in with just our password, no username. I don’t know exactly what’s going on in the backend but I know I don’t like it.
The highly regarded password policy of my last employer was one of the many things that pushed me over the edge and made me leave for greener pastures. I had to manage something like 9 different passwords, with the main one having changed to 16 chars min with all of the usual number/symbol/CAP requirements.
Use passkeys
If you think about it the last option is a way to use login via 2fa
But you only need one factor, access to your inbox?
So it’s more like SSO authentication
SSO without 2FA
Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email’s inbox )!
… Its still a shit security design. Better to have username, pass and a security key hehe
Hmh, I guess, though I feel this is a bit more complicated. What if you can look up the username in the registration mail sent to the inbox? Or it’s a site that uses email addresses as usernames? Is it knowing if said knowledge is inferrable from the thing you have?
I think you got it wrong what i meant (?)
Imagine i register on a website with my username ( DacoTaco ) and email ( someEmail@domain.com ). When i want to reset my password and click the “forgot password” link, it would ask my username, not my email address (something i know) and send me an email ( to someEmail@domain.com ) without reporting what email it sent it too. That way it could be considered a separate identity factor i think (access to the mailbox, something you have ).
Websites generally dont work this way, i know. But thats how id implement it :')Thanks for clarifying. I was mostly trying to apply that scenario to a likely real world one, but there’s definitely cases in which it could be two factor.
Shit, are we getting to that point where all non-password logins are “2fa” like how all denial of services are “DDoS”
Nah it’s just SFA with extra steps.
Magic link login with extra steps
This is more correct
Ah yes, they’ll never obtain my password if not even I know it.
Sign a random string with your private key to be verified by a public key on server.
Just need a password to sign now. 🥲
You’re describing Passkeys/WebAuthN
Can you send the link for it? I was unaware of this.
It’s all good until you get into a dependency loop with your email account passwords needing resetting, that have the email from the other account that needs resetting :P
That’s easy, just create new accounts every time you login.
And everything is done in Tails.
Forgot to add “Add a comma in your password, so if the all the user logins get leak, it will destroy the CSV file it gets uploaded to”.
Add a drop table statement to it while you’re at it
It won’t destroy the .csv file, but your (below standard) client might have issues reading it. That woman from The Office knows those are not the same thing.
There was one time I was traveling and had to reset one of my passwords. It sent a verification code via email but my email provider wouldn’t let me login because I was in a different country I’ve never been to before. So it was a train of recovery processes to reser my password on a single account.
I can smell the Linux crowd rushing to suggest a better method.
Use a password manager like bitwarden or keepass
Run a VPN server at home, any decent router should be able to run one. Then you can be anywhere in the world and every site will still think you are at home.
How would they be able to do that if they were already out of the country? Or is it something that “everyone” should set up?
That’s something that should be set up before leaving. You wouldn’t be able to do it away from home unless you already had remote access to a computer running at home or if your router had remote access enabled.
I like the DocuSign model. Just focus on securing your one account (email) and then make all the others use it as single factor.
Until you get locked out of your email account and can no longer access anything. This happens all the time with freemail (Gmail, Hotmail, Yahoo, etc) accounts.
The contents of mails also shouldn’t be considered secure. I like the idea of doing proper SSO through an email provider though - for example, using OIDC (OpenID Connect).
The big brain move is going to reset your password, getting told you can’t use your current password when you type in a “new” one, then going back to the login screen to log in.
And have the password still not work.
Big brain move is going to reset your password, seeing what their obscure password requirements are, then remembering your password and going back to the login screen to log in.
One of each please.
Whenever I feel that my passwords are insecure, I offer them a few encouraging words.
Hey, unrelated question, what’s the mother’s maiden name of your password?
If I told you, then my password would be insecure. You see, that’s a sensitive case for them.
Bitwarden is your friend.
For any self-hosted services you use, run something like Authentik and configure all the apps to use it for auth via OIDC (OpenID Connect). Makes the experience a lot nicer, instead of every service having its own separate user system.
I use Keycloak at work. How does Authentik compare?
I’ve never tried Keycloak so I’m not sure, sorry.
One feature Authentik has that I don’t think Authelia nor Keycloak support is operating as an LDAP server. With Authelia at least, you have to run a separate LDAP server if you need LDAP. With Authentik, it’s built in.
I guess I’ll have to do the research myself. Ohh bother. I can tell you that Keycloak can use a postgresql db or ldap but it is not built in. I honestly really dislike LDAP though. It’s an old protocol that has terrible client support and the only real reason to use it imo is if you need to support really high number of users and traffic, like in the millions.
You still want a local account though. Learnt that the hard way.
Why? In case authentik goes down, so you can recover data? Or something else?
I am settting up authentik and other selfhosted services right now and my plan was for authentik to have all the accounts.