The reason so many sites allow bad passwords is that customers/users absolutely insist on using bad passwords and will jam up your support team being mad that "Blue16" or whatever isn't allowed.
I've always wondered how much bias there is towards bad passwords because many of the sites that are leaked can often also be sites that nobody really cares too much about their security for too much anyway. I certainly know there's a few things I signed up for that the password is simplistic on because I don't give a single fuck about the account. A one/two time thing that won't have any personal information on it gets the quickest thing I can type.
It was the office of personnel management, so not just the CIA, but every agency in which you could need a clearance. Everything from Department of Energy to the NSA, From a low level army grunt moving boxes to high level weapons builders and guys doing IT for contractors. Anyone who had submitted an SF86 up to that point had every place they've lived, every family member, every job, details about education, drug use, mental health and alcohol abuse, debt, etc basically handed over.
Best part is, OPM offered two years of identity theft protection as a "oopsywoopsy we fwucked up biiiiiiig time sowwy"
You would be shocked at the passwords people want to use for things like business email accounts, billing accounts which hold their card details, etc. There's a subset of people who absolutely will not put any effort forth for security and just want to use the exact same password they've been using since they got their AOL account in 1998 on every single thing they have to sign in to.
With dictionary attacks I'm unsure of what a good password format is.
Obviously longer is better, and use password manager with random generators, etc.
But what about the password to your passwords?
I use paraphrases as master passwords, usually with puns or wordplay so a few of the words aren’t even words in a dictionary attack
Lol your reply showed up in my account when I was reviewing the cringe I made up so far
Great approach btw. I can only recommend the EFF word list, it makes passwords like yours so much easier to create and remember
We solved this problem in the mid-70s with asymmetric cryptography. It's just too hard for our monkey brains to do anything more than remember a simple pass phrase. We also solved that whole IPv4 internet routing thing but nobody wants to use that either.
How's that? I hadn't really thought about how capitalism affected computer security.
Yes but they wouldn't have the same resources at their disposal to conduct brute force password cracking nor would they have much incentive to do so. The point is not that passwords would become unnecessary but that we would not have an arms race over information security.
People have put ridiculous amounts of effort into stalking with no profit incentive in the past, and still do.
Passwords could still have use, but there would be no incentive for cryptography or the arms race of password security if they were only needed to protect personal private communications.
Yeah what is there to protect in a free open source information economy aside from personal shit that could be easily protected in the absence of a profit motive to steal your shit?
Because people still have a right to privacy??? Even if you make a state with literally not a single bad actor whatsoever no matter how small of a position (lol good luck) other people being noisy assholes isn't going to go away, protecting your accounts for basic privacy seems like a good thing on its own.
Here's an example: Someone takes nudes for only one person or a couple of people. Someone else wants to see them, but doesn't have consent. This person doesn't care about lack of consent. Shouldn't there be a way to keep this person away?
Even without financial incentive, some asshole could still decide to, say, post a bunch of heinous shit under your username for fun.
Firefox has some kind of password manager that generates long random strings so the only one you have to remember is the one to the browser itself.
I've never used it, but I think about it every time I'm on a website trying password, password1, password123, PassWord123, etc
yeah but should probably be a default action
also stuff like google auth is very nice except the fact that its google. means a website doesnt have to worry about security as much
This is also a feature in Safairi, but better yet is using a password manager like Bitwarden
Especially when I have to go into their settings every odd quarter to turn off whatever it is that keeps trying to memorize and autofill my password entries after the latest update.
FF Sync encrypts everything at rest on your devices with your passphrase, and that never leaves your devices unencrypted.
https://hacks.mozilla.org/2018/11/firefox-sync-privacy/
seems a lot better than most cloud pwd managers in that way
I guess they could all be stored encrypted and then when you want to use autofill you need to use the master password. That would make it much safer
Apple keychain and Safari on mobile create long string passwords
Most attempts to love away from passwords are direct attacks on anonymity. Email verification (hard to avoid now), adding your phone number, putting an app on your phone complete with verification data. They work great when you need to identify your actual person rather than just someone authorized to use the account.
The better, newer stuff is WebAuthN-based where you also register a public key and retain a private key. This has caught on in some spaces but should be promoted, particularly as a version using open software (and open hardware if it's based on a USB key) where you personally generate the private key. Unfortunately that's usually reserved for dev kits because the immutability of your key is supposed to be a security feature, though that also makes it a black box that could've been tampered with without leaving behind much evidence.
The other major issue is availability. What happens when you lose the key? You still need backup auth like an email account if you haven't kept your private key backed up somewhere - the standard is to invalidate the public keys and then buy a new one. This is well beyond the hassle most people will put up with to get access to bringmefrozenyogurt.com.
The better, newer stuff is WebAuthN-based where you also register a public key and retain a private key
This doesn't seem particularly friendly to lay-users unfortunately. Don't know how you'd get someone whose password is password123 to get the basics of private key auth
It's getting nearly friendly. The core workflow is to buy a yubikey, enable webauthn at the website you're logging into, and plug in the yubikey. Next time you log in (even with password123), it asks you to plug in the yubikey.
If websites make the registration part more obvious / default, it'll be as close as it can get to user-friendly.
The next hurdle is getting grandpa to register 2 keys in case he loses one...
no one is gonna go out to the store and buy something to sign up for a website
In my experience the u2f key workflow falls apart on devices that don't have USB-A ports, like mobile devices, game consoles, smart TVs, certain years worth of MacBooks, etc
I used to be a helpdesk agent for a major hospital network. I had doctors actually yell at me because of the password rules (and these rules were maybe a little stricter than average). At some point, individuals are to blame.
The main thing needed is a browser API via javascript, HTTP headers, and the html head, for automatic account creation and login. Instead of having a "remember me" feature, just expose account info to the web browser's password manager. Have it automatically saved, and automatically entered, on every page visit or on initial page view. Literally every website uses the same account login systems anyways. A username/email, and a passwod/2FA. An "account" can just be a certain set of domains with associated key value pairs of different types for different authentication mechanisms. But web browsers also need better integration with password managers. Windows already has a "Credential Manager" that does exactly this stuff, for sharing between software programs, although there's no permission system for which programs can access it :capitalist-laugh: .
My password was leaked in a very popular leak years ago and nothing ever came of it and I still use it.
