151

Any company that still insists on forced password resets and frequent changes needs to learn about Social Engineering and Human Factors. (yiffit.net)

submitted 7 months ago by l_b_i@yiffit.net to c/casualconversation@lemmy.world

61 comments fedilink hide all child comments

These are the same companies that don't support second factors, only have their app as a second factor, or only SMS second factor. Is it too much to ask for smart card or token (yubikey) support?

you are viewing a single comment's thread
view the rest of the comments

[-] droning_in_my_ears@lemmy.world 46 points 7 months ago

I hate that stuff. Also websites that have lots of specific conditions for what a password contains. You're just increasing the likelihood of me forgetting it.

[-] Echo5@lemmy.world 15 points 7 months ago

I started using a password manager for a lot of my passwords. Works pretty well, it’ll generate criteria matching passwords for me. Also functions as a list of websites I’ve created accounts with.

[-] Bwaz@lemmy.world 13 points 7 months ago

Forgetting it?? All you have to do is scribble it on a little slip of paper in your top drawer like 90% of people do. Very secure.

[-] BastingChemina@slrpnk.net 3 points 7 months ago

Top drawer ! I think you it's still more secure than most of my colleagues. It's usually a post it on the monitor.

[-] bouh@lemmy.world 1 points 7 months ago

Post it on the monitor is for session password. For the 5 others, there is a txt file on the desktop!

[-] l_b_i@yiffit.net 11 points 7 months ago

And if you don't forget it, you'll use a simple one that's easy to guess or contains common substitutions, p@$$w0rd!. And then when you do forget it you'll call support who will reset it, and they get so many calls it will make taking over another account easier.

[-] DABDA@lemmy.world 8 points 7 months ago

In case you haven't already seen it yet there's The Password Game to drive this point home

[-] l_b_i@yiffit.net 3 points 7 months ago

I don't think I've gotten past finding the correct length video. Getting that to work with everything else and keeping what's his face alive is just too much.

[-] iAmTheTot@kbin.social 3 points 7 months ago

Use a password manager my guy

[-] thedirtyknapkin@lemmy.world 1 points 7 months ago* (last edited 7 months ago)

on a work computer?

[-] Darkassassin07@lemmy.ca 1 points 7 months ago

You can use the manager on your phone to display the password you're having a hard time remembering sonyou can manually type it in, while still keeping it stored securely instead of just a plain text note on your phone.

You can also login to your password manager via web browser to copy/paste between it and login pages. Wouldn't be my choice, but it's an option. (not gonna enter my password vaults details on a work computer unless that vault only contains work logins.)

[-] droning_in_my_ears@lemmy.world 1 points 7 months ago

I don't trust them.

[-] Darkassassin07@lemmy.ca 1 points 7 months ago* (last edited 7 months ago)

I didn't either, so I self-host mine via vaultwarden. My passwords never leave my own systems (unless being used to login ofc), except for transit between my server and client devices. That is encrypted before storage or flight then wrapped in tls for https and again for a vpn connection (also self-hosted).