428
What industry secret are you aware of that most people aren't?
(programming.dev)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 24 Jun 2024
428 points (97.8% liked)
Asklemmy
42432 readers
1983 users here now
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 5 years ago
MODERATORS
IT, more specifically user support.
Let's talk passwords. You should have a different password for every site and service, over 16 character long, without any words, or common misspellings, using capital, lowercase, number and special characters throughout. MyPassword1! is terrible. Q#$bnks)lPoVzz7e? is better. Good luck remembering them all, also change them all every 30 days, so here are my secrets.
1: write your password down somewhere, and obfuscate it. If an attacker has physical access to your desk, your password probably isn't going to help much. 2: We honestly don't expect you to follow those passwords rules. I suggest breaking your passwords down into 3 security zones. First zone, bullshit accounts. Go ahead and share this one. Use it for everything that does not have access to your money or PII (Personally Identifiable Information). Second zone, secure accounts, use this password for your money and PII accounts, only use it on trusted sites.Third, reset accounts. Any account that can reset and unlock your other accounts should have a very strong and unique password, and 2FA.
Big industry secret, your passwords can get scraped pretty easily today, 2FA is the barest level of actual security you can get. Set it up. I know it's a pain, but it's really all we've got right now.
This is a method I heard once for remembering random passwords that I thought was clever.
Create your own alphabet of words (or random characters). A is for Apple, B is for Boy, C is for Cat…etc.
For every letter in the URL, you use the word from your alphabet. Ex:
www.facebook.com
F = Fog, A = Apple, C = Cat, E = Egg, B = Boy, O = Off, O = Off, K = Kite
Next, you need a number if you didn’t use one in your alphabet.
Facebook is 8 letters long so I might use 8. Or only letters repeated once. Or maybe you use the whole URL. Up to you, but you do it the same way for every site. You create a patter that you follow and can remember, rather than remembering every password.
Need a symbol? Assign that to the top level domain. In my example, .com = # .edu = ? .org = * etc
Put it all together and my example password would be “8FogAppleCatEggBoyOffOffKite#”.
A password for google.com might be ‘6GolfOffOffGolfLogEgg#’.
Obviously, you don’t have to do it this exact way with the alphabet, number, and symbol. The idea is that you create a set of rules that you remember and follow. If you write down “A = Apple B = Boy…” and someone finds it, it won’t be instantly obvious that it is meant for passwords.
This is terrible. If someone gets a couple of your passwords it’s pretty easy to work out the patterns and gain access to your other accounts.
Don’t complicate it. Use a password manager. I know none of my passwords and that’s how it should be.
For someone to work it out, they would have to be targeting you specifically. I would imagine that is not as common as, eg, using a database of leaked passwords to automatically try as many username-password combinations as possible. I don't think it's a great pattern either, but it's probably better than what most people would do to get easy-to-remember passwords. If you string it with other patterns that are easy for you to memorize you could get a password that is decently safe in total.
A password manager isn't really any less complicated. You've just out-sourced the complexity to someone else. How have you actually vetted your password manager and what's your backup plan for when they fuck up?
When Dashlane reports a breach. I change my passwords.
So no vetting at all presumably since you didn't mention it? So how do you know that Dashlane is safer than a password scheme that might be guessed by someone after they've already compromised a couple of your passwords?
Dashlane is pretty big and I’ve not seen any negative reports from security researchers. They offer bug bounties for people that do find vulnerabilities etc.
I believe the consensus is that password managers are better than any human password scheme. I could host my own manager but then there are more vectors for an attack, and why reinvent the wheel.
I Guess we already have a couple of his passwords ... Good job man, Sorry whats your name ?