this post was submitted on 06 Dec 2023
151 points (96.9% liked)

[Outdated, please look at pinned post] Casual Conversation

6590 readers
1 users here now

Share a story, ask a question, or start a conversation about (almost) anything you desire. Maybe you'll make some friends in the process.


RULES

Related discussion-focused communities

founded 1 year ago
MODERATORS
 

These are the same companies that don't support second factors, only have their app as a second factor, or only SMS second factor. Is it too much to ask for smart card or token (yubikey) support?

top 50 comments
sorted by: hot top controversial new old
[–] droning_in_my_ears@lemmy.world 46 points 11 months ago (5 children)

I hate that stuff. Also websites that have lots of specific conditions for what a password contains. You're just increasing the likelihood of me forgetting it.

[–] Echo5@lemmy.world 15 points 11 months ago

I started using a password manager for a lot of my passwords. Works pretty well, it’ll generate criteria matching passwords for me. Also functions as a list of websites I’ve created accounts with.

[–] Bwaz@lemmy.world 13 points 11 months ago (1 children)

Forgetting it?? All you have to do is scribble it on a little slip of paper in your top drawer like 90% of people do. Very secure.

[–] BastingChemina@slrpnk.net 3 points 11 months ago (1 children)

Top drawer ! I think you it's still more secure than most of my colleagues. It's usually a post it on the monitor.

load more comments (1 replies)
[–] l_b_i@yiffit.net 11 points 11 months ago

And if you don't forget it, you'll use a simple one that's easy to guess or contains common substitutions, p@$$w0rd!. And then when you do forget it you'll call support who will reset it, and they get so many calls it will make taking over another account easier.

[–] DABDA@lemmy.world 8 points 11 months ago (1 children)

In case you haven't already seen it yet there's The Password Game to drive this point home

[–] l_b_i@yiffit.net 3 points 11 months ago

I don't think I've gotten past finding the correct length video. Getting that to work with everything else and keeping what's his face alive is just too much.

[–] iAmTheTot@kbin.social 3 points 11 months ago (2 children)

Use a password manager my guy

[–] droning_in_my_ears@lemmy.world 1 points 11 months ago (2 children)
[–] Darkassassin07@lemmy.ca 1 points 11 months ago* (last edited 11 months ago)

I didn't either, so I self-host mine via vaultwarden. My passwords never leave my own systems (unless being used to login ofc), except for transit between my server and client devices. That is encrypted before storage or flight then wrapped in tls for https and again for a vpn connection (also self-hosted).

[–] Blaze@discuss.tchncs.de 1 points 11 months ago

Even locally? https://keepassxc.org/ can be an option

[–] thedirtyknapkin@lemmy.world 1 points 11 months ago* (last edited 11 months ago) (1 children)
load more comments (1 replies)
[–] apfelwoiSchoppen@lemmy.world 34 points 11 months ago (3 children)

My company set up two factor for office 365. The type of verification used is the outlook app where you tap on something to gain access. I must have been one of the first to be required to change my password on the stupid 90 day schedule. After changing my 365 account pw I was locked out because I had to log in to the Outlook app and use the outlook app for verification, which didn't work due to the need to be logged in. You can't make this shit up.

[–] l_b_i@yiffit.net 10 points 11 months ago

Perfect security. Nobody can access.

[–] deweydecibel@lemmy.world 4 points 11 months ago* (last edited 11 months ago)

That's on your IT department.

Well, it's also on Microsoft for selling their "modern" security theater bullshit to every IT department in the country while not designing it in a sensible fashion or working with third parties to provide meaningful alternatives to the Microsoft branded shit every employee will soon be required to install on their personal devices...

But that's also on your IT department for not warning you or allowing you to keep the SMS/phone verification as a backup for these exact situations. Those aren't depreciated yet, but some companies have let Microsoft's recommend security practices (co-written by their sales team) scare them into downright idiocy.

As someone in IT, here's what you do: Next time that sort of thing happens, just reach out to them immediately and have them reset everything. They may get annoyed, but you know what? They shouldn't be. It's more secure to have an employee call in every single time they need to change a password or re-authenticate a device. It's inconvenient, unnecessary, and downright annoying, wasting everyone's valuable time, but hey....it's more "secure'. If it's more secure, you aren't allowed to be against it.

[–] l_b_i@yiffit.net 1 points 11 months ago

you and @CodingCarpenter@lemm.ee must use the same system.

[–] CodingCarpenter@lemm.ee 11 points 11 months ago (2 children)

Every few months my company forces a password reset. We recently changed from four digit pins to full true passwords but they don't actually explain that so now you have people with like 13 digit pins it's insane. On top of that they also use two-factor Authentication simply to make things harder I believe.

Finally if you want your work email on your phone it forces you to re login every single week and because of the way Outlook mobile works you need this special number from Outlook on your phone so to log into outlook on my phone I have to authenticate with Outlook on my phone

[–] Delphia@lemmy.world 8 points 11 months ago (1 children)

0118 999 881 99 911 9725 3

[–] olicvb@lemmy.ca 5 points 11 months ago

Finally an emergency phone number that i can remember

[–] jaycifer@kbin.social 3 points 11 months ago (1 children)

13 digit pins? You mean my phone number and birthdate?

[–] CodingCarpenter@lemm.ee 3 points 11 months ago

I'd be lying if I said I haven't considered it. It's still calls them pins even though it allows for basically any character

[–] PlatinumSf@pawb.social 9 points 11 months ago (2 children)

Any Insurance company * (I say so because as an IT Administrator I'm forced to enable this to keep our cyber insurance policy, but I feel rather confident it's unnecessary given the research and our migration to ldap tied fido).

[–] CriticalMiss@lemmy.world 4 points 11 months ago (1 children)

I’m in this boat and I hate it.

[–] PlatinumSf@pawb.social 2 points 11 months ago

I’ll drink to that!

[–] l_b_i@yiffit.net 3 points 11 months ago (1 children)

All I know is the mortgage servicing company I use seems to have started ~3 month interval, that they don't say (no second factor available either). When I went to pay my internet bill, I get greeted with a message "you're passwords been reset". I'm stubborn and I was just using those sites to pay bills, so now I just don't log in to those anymore.

Insurance, and government need to catch up to the research. For sites that support them, I really like the Yubikey as a second factor.

[–] PlatinumSf@pawb.social 2 points 11 months ago (3 children)

It won’t be too long now before everyone rolls out Passkey support, which will be nice. I fully embrace the death of the password.

[–] l_b_i@yiffit.net 2 points 11 months ago

I like your optimism.

load more comments (2 replies)
[–] henfredemars@infosec.pub 8 points 11 months ago (1 children)

BasePassword + today's date reporting for duty.

[–] l_b_i@yiffit.net 3 points 11 months ago (1 children)

What about when you go and log in tomorrow?

[–] AcornCarnage@lemmy.world 19 points 11 months ago (1 children)

Maintain security by changing passwords every day. Easy.

[–] Nougat@kbin.social 1 points 11 months ago (1 children)

Best security: change the password every Planck unit of time.

[–] PlatinumSf@pawb.social 1 points 11 months ago

Rotating passkeys are pretty secure.

[–] ares35@kbin.social 7 points 11 months ago (1 children)

we have one piece of remote software that requires 90-day resets, but half the time the process is bugged so we end up having to have a new password relayed to us in the clear... through email. third-party email. it's only 100s of thousands of medical records on the other side of that login. no big.

[–] l_b_i@yiffit.net 3 points 11 months ago

I don't have any first hand experience, but anecdotes I hear, Medical and Banking have some of the worst password/security practices.

[–] Darkassassin07@lemmy.ca 7 points 11 months ago

Mine rotates every 3 months for a 4-digit pin... Can't use a longer one, no 2fa.

[–] Chetzemoka@startrek.website 6 points 11 months ago (1 children)

Both companies I work for use Okta for 2fa AND also force us to change our passwords every 90 days, resulting in us using weak, easy to remember passwords. It's security theater.

[–] CriticalMiss@lemmy.world 6 points 11 months ago

I’m IT in a company that has this policy. Blame the cyber insurance.

[–] Blaze@discuss.tchncs.de 6 points 11 months ago (1 children)

I'm glad that in my company they disabled the password rotation after having implemented 2FA

[–] l_b_i@yiffit.net 4 points 11 months ago

Mine went to once a year for most systems. There is probably an external requirement somewhere that says they need to be changed periodically and once a year is the lowest frequency they can do.

[–] lurch@sh.itjust.works 1 points 11 months ago (4 children)

This sounds like you don't use a password manager.

[–] l_b_i@yiffit.net 6 points 11 months ago (11 children)

A password manager does nothing to stop Social engineering and human factors on the provider side.

load more comments (11 replies)
[–] Euphorazine@lemmy.world 5 points 11 months ago (1 children)

I use a password manager, but I can't realistically use one on my work computer, because the computer is locked. You want me to open my password manager on my phone and try and type it in?

Yeah, I'm gonna continue to use the bare minimum password that meets the requirements knowing full well it can be brute forced in under 5 minutes.

load more comments (1 replies)
[–] Thavron@lemmy.ca 3 points 11 months ago

Sadly, I can't use a password manager to unlock my windows on my work pc.

[–] bluGill@kbin.social 2 points 11 months ago (1 children)

You still need a password on your password manager, and that needs to be protected.

[–] Darkassassin07@lemmy.ca 3 points 11 months ago

Sure, but one strong complex password is much easier to maintain and remember than checks vault 71 individual logins each with unique complex passwords.

My password vault is also only accessible from my local network or from a device that's been within that network and logged in to my vault while it was there. (I'm not using public servers to sync between devices)

load more comments
view more: next ›