this post was submitted on 06 May 2025

155 points (100.0% liked)

Technology

38631 readers

122 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago

MODERATORS

alyaza@beehaw.org

TheRtRevKaiser@beehaw.org

gyrfalcon@beehaw.org

rs5th@beehaw.org

coldredlight@beehaw.org

SemioticStandard@beehaw.org

TheRtRevKaiser@kbin.social

remington@beehaw.org

155

Tulsi Gabbard Reused the Same Weak Password on Multiple Accounts for Years (www.wired.com)

submitted 2 days ago by remington@beehaw.org to c/technology@beehaw.org

25 comments fedilink hide all child comments

https://archive.is/WD8NT

all 27 comments

sorted by: hot top controversial new old

[–] Melody@lemmy.one 7 points 2 days ago (1 children)

Given the absurd number of sites that require a login for no discernible security reason at all whatsoever; I get it.

A "Common" password makes sense. This password should never be used to log into or protect anything secure however.

Similarly a "Common" password might be used to enable login more easily from certain devices; but ideally this "temporary" password should probably be something that is, yet again, different from the first "Common" password you use.

It boggles my mind that someone like this isn't at least using a specific passphrase for secure work accounts only.

While I can personally understand a need for some password reuse across multiple domains; at least there should be some separation of larger "superdomains" such as "work", "personal" and "throwaway" so that breaches don't have such a catastrophic impact.

A system of generating secure, unrelated but memorable phrases (for you) for those times you can't carry or use a password manager is frequently essential. That way you can recall the password on the fly when it is asked of you; all you need to do is think about the unrelated thing you attached that information to.

[–] festus@lemmy.ca 3 points 2 days ago

Ditto. I use unique passwords for services I care about / someone could exfiltrate sensitive data, and a cheap reused password for services I don't care about and could easily regain access to with a password reset email.

[–] some_guy@lemmy.sdf.org 8 points 2 days ago

Meh, I can't dunk on this one. Despite paying for a password manager, I still use the same password for things I don't care about / that can't be used to exploit me. The other day I had to register for something stupid and that's what I used, yet again. Granted, I'm not logging into game-changing accounts with it, but I get it. I'll dunk on her for policy.

[–] klu9@lemmy.ca 31 points 2 days ago (1 children)

Plausible deniability for when it's discovered her accounts are controlled from Moscow?

"Oh, I must have been hacked cuz weak passwords. That's why my account sent our classified war plans to Putin."

[–] Powderhorn@beehaw.org 14 points 2 days ago (1 children)

Everyone knows you do that on Signal.

[–] rbos@lemmy.ca 4 points 2 days ago

Or a manky Signal clone with backdoors transmitting everything in plain text...

[–] Archangel1313@lemm.ee 19 points 2 days ago

Good thing they put her in charge of intelligence, then.

[–] milkisklim@lemm.ee 16 points 2 days ago* (last edited 2 days ago) (2 children)

That's weird. I have my browsers set up so if I type my password all that shows up is *******

[–] DickFiasco@lemm.ee 17 points 2 days ago (1 children)

I have the same add-on I think. When I type hunter2 it just shows up as hunter2 instead.

[–] Tolookah@discuss.tchncs.de 19 points 2 days ago (1 children)

I have the same add-on I think. When I type ******* it just shows up as ******* instead.

That's a neat plug-in.

[–] jherazob@beehaw.org 3 points 2 days ago

hunter2?

[–] brisk@aussie.zone 16 points 2 days ago (3 children)

Material from breaches shows that during a portion of this period, she used the same password across multiple email addresses and online accounts, in contravention of well-established best practices for online security. (There is no indication that she used the password on government accounts.)

This is... not interesting

[–] CmdrShepard42@lemm.ee 14 points 2 days ago (1 children)

It should be interesting considering she's currently the director of national intelligence yet seemed to learn about security during the time of AOL floppy disks.

[–] Powderhorn@beehaw.org 2 points 2 days ago

Those were the days ... free storage sent in the mail or attached to a magazine.

[–] Midnitte@beehaw.org 13 points 2 days ago (1 children)

Until it turns out she was using the personal accounts for governmental business....

[–] bamboo@lemmy.blahaj.zone 7 points 2 days ago (1 children)

Perhaps, but like actual hygiene, not having good digital hygiene stays with you between personal and work personas. It is troubling considering she is the Director of National Intelligence and it's something which should be a baseline requirement for the position. Regardless of party affiliation, it's competence we should demand for those in these positions.

[–] Midnitte@beehaw.org 3 points 2 days ago

Indeed!

[–] Maeve@kbin.earth 3 points 2 days ago

If people only knew how many anti/sec professionals do this, this would be in a zone with ASCII art, not Wired, but frankly, after what Poulson and Lamo did to Chelsea Manning, I really don't expect better from the media specifically marketed to those with an interest in anything tech related. I did before that happened, but after the absolute apathy from the public sector, if not outright hostility toward Ms. Manning, I expected and do expect the absolute worst, for the sake of sweet, profitable clicks. What I continue to be surprised about is how utterly bottomless this particular hole is. Really a black hole more than a mere abyss.

[–] Opinionhaver@feddit.uk 3 points 2 days ago (2 children)

I totally have unique passwords for all my hundreds of accounts around the internet.

[–] joby@programming.dev 25 points 2 days ago (1 children)

This reads as sarcastic to me, but I and many others legitimately do, through the use of a password manager. I have an encrypted database that syncs between my phone, laptop, and a vps, and I occasionally manually back up to a free email account. I only need to remember the one password to unlock the db.

[–] Opinionhaver@feddit.uk 3 points 2 days ago (1 children)

What I’m saying is that I don’t criticize others for something I do myself - that would be hypocritical.

[–] Boomkop3@reddthat.com 2 points 2 days ago

Being hypocritical reflects bad on you. But that does not mean it is bad advice.

[–] hash@slrpnk.net 3 points 2 days ago (1 children)

The standard user cannot comprehend that Bitwarden is less than $1 a month and totally worth every cent.

[–] absGeekNZ@lemmy.nz 9 points 2 days ago (1 children)

Or that keepass is free and you can use any number of sync methods

[–] NeatNit@discuss.tchncs.de 3 points 2 days ago

Having used KeePass for a few years, syncing via a self-hosted SFTP server, I can't recommend it for most people.

It's too technical, especially if you want sync, but even if you don't
Apps on different platforms don't quite agree with each other in all ways, making syncing a bit annoying (particularly: how to associate a login with multiple URLs)
It can be hard to pick which app to use on each platform, other than Windows, because there's no official/canonical best option (Mono has lots of drawbacks)

I've switched to Bitwarden and I'm sticking with it.