• nat_turner_overdrive [he/him]
    ·
    3 years ago

    The reason so many sites allow bad passwords is that customers/users absolutely insist on using bad passwords and will jam up your support team being mad that "Blue16" or whatever isn't allowed.

  • NewAccountWhoDis [she/her]
    ·
    3 years ago

    I've always wondered how much bias there is towards bad passwords because many of the sites that are leaked can often also be sites that nobody really cares too much about their security for too much anyway. I certainly know there's a few things I signed up for that the password is simplistic on because I don't give a single fuck about the account. A one/two time thing that won't have any personal information on it gets the quickest thing I can type.

      • Shinji_Ikari [he/him]
        ·
        3 years ago

        It was the office of personnel management, so not just the CIA, but every agency in which you could need a clearance. Everything from Department of Energy to the NSA, From a low level army grunt moving boxes to high level weapons builders and guys doing IT for contractors. Anyone who had submitted an SF86 up to that point had every place they've lived, every family member, every job, details about education, drug use, mental health and alcohol abuse, debt, etc basically handed over.

        Best part is, OPM offered two years of identity theft protection as a "oopsywoopsy we fwucked up biiiiiiig time sowwy"

    • nat_turner_overdrive [he/him]
      ·
      3 years ago

      You would be shocked at the passwords people want to use for things like business email accounts, billing accounts which hold their card details, etc. There's a subset of people who absolutely will not put any effort forth for security and just want to use the exact same password they've been using since they got their AOL account in 1998 on every single thing they have to sign in to.

  • TrudeauCastroson [he/him]
    ·
    edit-2
    3 years ago

    With dictionary attacks I'm unsure of what a good password format is.

    Obviously longer is better, and use password manager with random generators, etc.

    But what about the password to your passwords?

  • discountsocialism [none/use name]
    ·
    edit-2
    3 years ago

    We solved this problem in the mid-70s with asymmetric cryptography. It's just too hard for our monkey brains to do anything more than remember a simple pass phrase. We also solved that whole IPv4 internet routing thing but nobody wants to use that either.

    • BeamBrain [he/him]
      ·
      3 years ago

      How's that? I hadn't really thought about how capitalism affected computer security.

          • Nakoichi [they/them]
            ·
            3 years ago

            Yes but they wouldn't have the same resources at their disposal to conduct brute force password cracking nor would they have much incentive to do so. The point is not that passwords would become unnecessary but that we would not have an arms race over information security.

            • CthulhusIntern [he/him]
              ·
              edit-2
              3 years ago

              People have put ridiculous amounts of effort into stalking with no profit incentive in the past, and still do.

        • Nakoichi [they/them]
          ·
          3 years ago

          Passwords could still have use, but there would be no incentive for cryptography or the arms race of password security if they were only needed to protect personal private communications.

            • Nakoichi [they/them]
              ·
              edit-2
              3 years ago

              Yeah what is there to protect in a free open source information economy aside from personal shit that could be easily protected in the absence of a profit motive to steal your shit?

        • NewAccountWhoDis [she/her]
          ·
          edit-2
          3 years ago

          Because people still have a right to privacy??? Even if you make a state with literally not a single bad actor whatsoever no matter how small of a position (lol good luck) other people being noisy assholes isn't going to go away, protecting your accounts for basic privacy seems like a good thing on its own.

        • CthulhusIntern [he/him]
          ·
          3 years ago

          Here's an example: Someone takes nudes for only one person or a couple of people. Someone else wants to see them, but doesn't have consent. This person doesn't care about lack of consent. Shouldn't there be a way to keep this person away?

        • BeamBrain [he/him]
          ·
          3 years ago

          Even without financial incentive, some asshole could still decide to, say, post a bunch of heinous shit under your username for fun.

  • kristina [she/her]
    ·
    3 years ago

    id go a step further and it should be a browser that does it

    • ssjmarx [he/him]
      ·
      3 years ago

      Firefox has some kind of password manager that generates long random strings so the only one you have to remember is the one to the browser itself.

      I've never used it, but I think about it every time I'm on a website trying password, password1, password123, PassWord123, etc

      • kristina [she/her]
        ·
        3 years ago

        yeah but should probably be a default action

        also stuff like google auth is very nice except the fact that its google. means a website doesnt have to worry about security as much

      • spectre [he/him]
        ·
        3 years ago

        This is also a feature in Safairi, but better yet is using a password manager like Bitwarden

      • determinism2 [he/him]
        ·
        3 years ago

        Especially when I have to go into their settings every odd quarter to turn off whatever it is that keeps trying to memorize and autofill my password entries after the latest update.

      • culpritus [any]
        ·
        3 years ago

        FF Sync encrypts everything at rest on your devices with your passphrase, and that never leaves your devices unencrypted.

        https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

        seems a lot better than most cloud pwd managers in that way

      • QuillcrestFalconer [he/him]
        ·
        3 years ago

        I guess they could all be stored encrypted and then when you want to use autofill you need to use the master password. That would make it much safer

  • CheGueBeara [he/him]
    ·
    3 years ago

    Most attempts to love away from passwords are direct attacks on anonymity. Email verification (hard to avoid now), adding your phone number, putting an app on your phone complete with verification data. They work great when you need to identify your actual person rather than just someone authorized to use the account.

    The better, newer stuff is WebAuthN-based where you also register a public key and retain a private key. This has caught on in some spaces but should be promoted, particularly as a version using open software (and open hardware if it's based on a USB key) where you personally generate the private key. Unfortunately that's usually reserved for dev kits because the immutability of your key is supposed to be a security feature, though that also makes it a black box that could've been tampered with without leaving behind much evidence.

    The other major issue is availability. What happens when you lose the key? You still need backup auth like an email account if you haven't kept your private key backed up somewhere - the standard is to invalidate the public keys and then buy a new one. This is well beyond the hassle most people will put up with to get access to bringmefrozenyogurt.com.

    • crime [she/her, any]
      ·
      3 years ago

      The better, newer stuff is WebAuthN-based where you also register a public key and retain a private key

      This doesn't seem particularly friendly to lay-users unfortunately. Don't know how you'd get someone whose password is password123 to get the basics of private key auth

      • CheGueBeara [he/him]
        ·
        3 years ago

        It's getting nearly friendly. The core workflow is to buy a yubikey, enable webauthn at the website you're logging into, and plug in the yubikey. Next time you log in (even with password123), it asks you to plug in the yubikey.

        If websites make the registration part more obvious / default, it'll be as close as it can get to user-friendly.

        The next hurdle is getting grandpa to register 2 keys in case he loses one...

        • ToastGhost [he/him]
          ·
          3 years ago

          no one is gonna go out to the store and buy something to sign up for a website

        • crime [she/her, any]
          ·
          3 years ago

          In my experience the u2f key workflow falls apart on devices that don't have USB-A ports, like mobile devices, game consoles, smart TVs, certain years worth of MacBooks, etc

  • CthulhusIntern [he/him]
    ·
    3 years ago

    I used to be a helpdesk agent for a major hospital network. I had doctors actually yell at me because of the password rules (and these rules were maybe a little stricter than average). At some point, individuals are to blame.

  • blobjim [he/him]
    ·
    edit-2
    3 years ago

    The main thing needed is a browser API via javascript, HTTP headers, and the html head, for automatic account creation and login. Instead of having a "remember me" feature, just expose account info to the web browser's password manager. Have it automatically saved, and automatically entered, on every page visit or on initial page view. Literally every website uses the same account login systems anyways. A username/email, and a passwod/2FA. An "account" can just be a certain set of domains with associated key value pairs of different types for different authentication mechanisms. But web browsers also need better integration with password managers. Windows already has a "Credential Manager" that does exactly this stuff, for sharing between software programs, although there's no permission system for which programs can access it :capitalist-laugh: .

  • Elon_Musk [none/use name]
    ·
    3 years ago

    My password was leaked in a very popular leak years ago and nothing ever came of it and I still use it.