Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
I actually think that forcing to use a different password for each site is not that bad, I mean it's something you should do anyway
-
Argos1743y@tonypolik
1. Forcing me to do anything is bad
2. No, using different password everywhere is bad because it is impossible to remember all of them and you will have to store your passwords somewhere. That "somewhere" can be accessed by hackers and your passwords will be lost.
3. The best place for storing passwords is in your head, thus using one/two passwords is more secure than using different ones. -
C0D4681383y@Argos
online banking, PayPal, ect. With the same password = you one broke mofo.
You'll be singing a different tune when you've been cleaned out financially.
Using a password manager is a good idea, but using random strings is hard to remember, so you either trust the password manager or use pass phrases instead eg: one-blue-cow-shit6
I use a pass phrase for the master password with MFA, this way I don't forgot what that is. But most of my passwords are random strings of characters that I'll never know. -
@Argos I think your risk analysis in your second point is flawed.
Passwords can get leaked in many ways, I would roughly say there are three risks:
A. Insecure websites, leaking your password
B. Malicious websites (phishing)
C. Insecure / hacked devices
Using a single password makes you extremely vulnerable to A and B - especially if you use the same password for e.g. online shopping and banking.
You cannot prevent A as you have no influence to or even knowledge of a websites security.
Now to problem C: If someone can steal stored passwords, they can also just install a keylogger and steal your entered passwords. Whatever you do, you have lost anyway; of course there are measure for damage control for such cases, but using less passwords does not help. -
Argos1743y@C0D4
Different passwords for online banking accounts will not help in case someone knows them. If someone steals one of your passes he will steal them all.
Password manager is the same one passwrod for everything, just sent to 3rd party people instead of remembering it - total crap.
MFA is good stuff, and it is enough to secure your data, again, the more tools you use to remember billion passwrods you create the more the chances that they will leak or you will forget them.
Different passwords is an illusion of safety, nothing more.
One password for secure data + MFA, and a diffferent one for registering on untrusted resoruces is more than enough. -
Argos1743y@sbiewald
Good point, I've answered to A-B above: one password+mfa for secure accounts and other password for online stores is enough.
No need to create different passwords for every resource, and if they force you to - they force you to write it somewhere, or forget it, thus decreasing security and stability instead of increasing it. And of course adding 333 at the end of your pass to meet stupid 15 min-length restriction will not help you in case of C. -
@Argos My point is: Nothing, really nothing will help you against C - so writing passwords down on a secure computer does not decrease security and removes A+B to the most extend possible. MFA should still be used, of course.
-
@Argos i disagree with what you wrote in first and second paragraph.
Since one of the most popular attack vectors is phishing, single password for all accounts =/= one password for password manager with individual passwords for websites. If you get phished, and give away one of the passwords, attacker gains access to one account, instead of many. Same goes for mitm, bruteforce and data leaks. -
Root825993yIt sounds like they’re enforcing good password rules, and like it has a built-in password manager that it’s protecting. Good on them. And shame on you for insisting on shit security practices.
The single worst thing for password security is reuse. If you use the same password everywhere and someone guesses or cracks it (or it’s leaked in a breach, which is incredibly and frighteningly common), you suddenly need to change your passwords everywhere. An account breach should be limited to that one single account, not multiple, and certainly not all of them. Especially since these break in attempts are largely automated.
Speaking of, have you ever seen bulk password files? 20+ million raw passwords in a single txt file. Easy to automatically try them all against someone’s account, or against a list of millions of account names, and since most people use shit passwords, you’re almost guaranteed to get access. Also, and it should go without saying, once your password finds its way into one of those lists… it’s compromised for good.
I do recommend against using browser-based managers, though. More difficult to trust that they’ve done everything correctly, and that it can’t be hijacked or compromised somehow via that connection to the browser. I’d recommend something like KeePassXC. Open source, free, and local only.
I keep all of my passwords in a password manager (the one I recommended), most of them 45+ character strings of garbage, depending on what the service in question m allows, ofc. Every service uses a different password. My passwords for said password managers (personal, work) are long sentences with capitals and punctuation, and not written down anywhere. (Though I probably should because of bus factor.) I also don’t trust cloud services and only use local copies of my password dbs, and back them up regularly.
This minimizes my risk of breaches, theft, etc. and also makes my life easier. What’s not to love? :) -
bahua129043yI have been using Vivaldi happily for years, and I love it. It's a solid backup to Firefox, and a great way to access poorly-written chrome-only web content.
I have never seen anything about password enforcement on it. Are you seriously not using a purpose-written standalone password manager? -
C0D4681383y@Argos please visit
https://haveibeenpwned.com/
and enter your email. If you get even 1 hit, your single use password you love is compromised.
Keep in mind, your credentials being reused doesn't limit your vulnerability to a single service, people who have password lists will and do try them against many services, for example:
https://popculture.com/entertainmen...
This is why using a different password per service is something you can control to reduce your attackable footprint. -
So you forgot to add the password to your password manager?
Or did you actually try to use a browser as your password manager?! -
@Argos
I wonder what your threat model is where you trust the software running under your account with passwords and data, but one extra piece of software running locally having the limited feature set of a password manager is out of the question for security reasons...
Has cloud religion spread so far that people seriously believe, that there can't be software that just does its job without talking to other computers while running locally on a device?
Or are you just trolling?
Related Rants
Vivaldi browser is shit.
Simple isntructions on how to make most shitty browser ever:
1. Force users to use "really-fucking-long" password that will not match to any of their existing ones.
2. Invent some useless stupid "encryption password" (why does any normal browser work fine without that shit) and most ridiculous - automatically set it to be the same as the main password.
3. Of course you forget the pass you set because you dont remember what symbol you added 5 times in the end of your normal pass to fit their stupid rules.
4. You have to reset it
5. "Encryption password" does not reset with it, so you still dont remember it
6. Sync is not working!
7. If you think this is shitty enought, you are not right - they went futher. To reset that fucking "encryption password" you have to... ERASE ALL YOUR CLOUD DATA.
Fucking retarded piece of shit - never, never trust those morons who made this shit browser to sync any of your sensitive information.
devrant
vivaldi
synchronization
cloud
chrome
browsers
bookmarks
rant