this post was submitted on 06 Dec 2023
151 points (96.9% liked)
[Outdated, please look at pinned post] Casual Conversation
6590 readers
1 users here now
Share a story, ask a question, or start a conversation about (almost) anything you desire. Maybe you'll make some friends in the process.
RULES
- Be respectful: no harassment, hate speech, bigotry, and/or trolling
- Encourage conversation in your post
- Avoid controversial topics such as politics or societal debates
- Keep it clean and SFW: No illegal content or anything gross and inappropriate
- No solicitation such as ads, promotional content, spam, surveys etc.
- Respect privacy: Don’t ask for or share any personal information
Related discussion-focused communities
- !actual_discussion@lemmy.ca
- !askmenover30@lemm.ee
- !dads@feddit.uk
- !letstalkaboutgames@feddit.uk
- !movies@lemm.ee
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This sounds like you don't use a password manager.
A password manager does nothing to stop Social engineering and human factors on the provider side.
wdym by "provider side" in this context?
As an example, if you have an online account with some bank. That bank would be the provider.
Well yes, me and the bank employees using a password manager does not stop social engeneering and human factors, but it limits the access of the attacker to the time period of the forced password change. If the attacker changes it, he is found out immediately, because the bank employee loses access. When the password expires the bank employee generates a new random password and the attacker loses access. Of course, using OTP features or a security token is better and narrows the attack window even more.
I don't think you're following.
First, you are an account holder in my answer not an employee.
Second, the reason its an issue has nothing to do with the actual password or password security. Frequent changes lead to simpler passwords. Someone is likely just to increment a number, so a new password is barley a hindrance if the previous one is compromised. Frequent changes are going to lead to more password resets, service personnel who have to deal with people forgetting passwords due to frequent resets/ changes are more likely to be complacent allowing an attacker to gain access through a reset. For company based passwords, frequent changes and high complexity requirements are more likely to lead to someone writing a password down near where that password is used.
No, you're not following. (I assumed I was an account holder in that example, but it's not important.)
Not if they use a password manager and click a button to completely randomize a new password. They do not have to worry they forget it, because they only have to memorize their master password.
KeePass Password Generation Options
Why would someone who was told to hit that button by IT increment a number instead?
Just automate it and gate it behind a strong passphrase and 2 factor the vault you use
https://github.com/Bubka/2FAuth
https://www.makeuseof.com/what-is-password-vault/
https://nerdschalk.com/8-best-self-hosted-password-managers/
https://www.hashicorp.com/resources/painless-password-rotation-hashicorp-vault
I know hashicorp has ruffled some feathers with the new terraform licensing but vault is still free and self hosted.
I think your missing the point. It doesn't matter how good an individuals security practices are if the system itself has bad security architecture.
So in your post you refer to, for example, an admin at microsoft headquarters having to change his password, not the user of one of microsofts services being forced to change their password?
I am generally more annoyed at the second bit, the user having to change their password. Both are problems, but internal policies for changes are usually documented and communicated.
Having to change the services password is just a few buttons in the password manager, but it helps mitigating brute force attacks and limits the attackers access to the validity period of the password. So that's very beneficial.
It doesn't matter how good an individuals security is, its the system that's a problem. Passwords are not often compromised through brute force. Password resets are a much more efficient entry method.
https://pages.nist.gov/800-63-FAQ/#q-b05
I use a password manager, but I can't realistically use one on my work computer, because the computer is locked. You want me to open my password manager on my phone and try and type it in?
Yeah, I'm gonna continue to use the bare minimum password that meets the requirements knowing full well it can be brute forced in under 5 minutes.
My employer deployed password managees company wide.
Sadly, I can't use a password manager to unlock my windows on my work pc.
You still need a password on your password manager, and that needs to be protected.
Sure, but one strong complex password is much easier to maintain and remember than checks vault 71 individual logins each with unique complex passwords.
My password vault is also only accessible from my local network or from a device that's been within that network and logged in to my vault while it was there. (I'm not using public servers to sync between devices)