If you think about it the last option is a way to use login via 2fa
But you only need one factor, access to your inbox?
Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email's inbox )!
.. Its still a shit security design. Better to have username, pass and a security key hehe
It's all good until you get into a dependency loop with your email account passwords needing resetting, that have the email from the other account that needs resetting :P
That’s easy, just create new accounts every time you login.
And everything is done in Tails.
I've been through that hell with my son. He was struggling with mental health issues and locked himself out of his phone, apple account and Google (Gmail). He eventually just started over with new everything. I did convince him to use email address on my domain so that he would always be able to get recovery emails.
If websites could just remind me on the login in screen what their password requirements are that would help me a LOT.
So many times I start going through the "forgot my password" steps and then when I see the password requirements are "at least 10 characters long with 2 unique symbols" I remember what it was and can go back and log in.
Listing those requirements up front would make things way easier for brute force attackers
Listing those requirements up front would make things way easier for brute force attackers
They list all those requirements when you try to create an account. If anyone wants to try to brute force they already have that info.
Fun fact: it would take about 37 billion years on average (at current (known) tech) to brute force a 16 character alphanumeric password which uses uppercase ie. using at least one of each of a-z,A-Z,0-9
Adding special characters would not make it easier. A trillion years seems like a long time. (Unless your password is ThisIs4Password!)
https://www.komando.com/wp-content/uploads/2021/03/Passwords-chart-970x510.jpg
Brute Force attacks haven't been effective for decades. Not since they implemented delays between attempts and times outs/lock outs for too many failed attempts.
There was one time I was traveling and had to reset one of my passwords. It sent a verification code via email but my email provider wouldn’t let me login because I was in a different country I’ve never been to before. So it was a train of recovery processes to reser my password on a single account.
The big brain move is going to reset your password, getting told you can't use your current password when you type in a "new" one, then going back to the login screen to log in.
And have the password still not work.
Big brain move is going to reset your password, seeing what their obscure password requirements are, then remembering your password and going back to the login screen to log in.
I really wish sites with those stupid restricted complexity requirements would just say what they are on the login screen.
"We only allow '&#@!()' because we don't understand password security, you're welcome."
We have the worst password policy I’ve ever dealt with at my current employer.
My employer software has us log in with just our password, no username. I don't know exactly what's going on in the backend but I know I don't like it.
The highly regarded password policy of my last employer was one of the many things that pushed me over the edge and made me leave for greener pastures. I had to manage something like 9 different passwords, with the main one having changed to 16 chars min with all of the usual number/symbol/CAP requirements.
Forgot to add "Add a comma in your password, so if the all the user logins get leak, it will destroy the CSV file it gets uploaded to".
It won't destroy the .csv file, but your (below standard) client might have issues reading it. That woman from The Office knows those are not the same thing.
Add a drop table statement to it while you're at it
There is also use a password manager and reset the password everytime because the site blocks them and locks it out.
I have relatively long Passwords, because why not, and had problems with pages restricting the number of characters you can enter in the login window, but not the registration window. Or restricting password length and cutting your password off, but not telling you about it, so you gotta figure out that they set the first 30 characters of the saved password as your password.
Always fun to deal with. I could make it a lot easier for me by just using shorter passwords, but I think deep down I'm a masochist.
The worst version of this I’ve ever seen is a site that enforced a password policy on the “current password” field on the “change password” interface. I had an existing password that violated their policy (either because they changed the policy or a technician created a “temporary” password for me, I forget), and I could not change it to a proper password because my current password would get rejected.
I have several password manager plugins installed on my browser, along with the built-in password managers in the browser and the OS itself, because I like seeing them all fight over the password field.
Whenever I feel that my passwords are insecure, I offer them a few encouraging words.
Hey, unrelated question, what's the mother's maiden name of your password?
If I told you, then my password would be insecure. You see, that's a sensitive case for them.
This comment has big 'i did a thing' energy. Alex, is that you?
For any self-hosted services you use, run something like Authentik and configure all the apps to use it for auth via OIDC (OpenID Connect). Makes the experience a lot nicer, instead of every service having its own separate user system.
You still want a local account though. Learnt that the hard way.
Why? In case authentik goes down, so you can recover data? Or something else?
I am settting up authentik and other selfhosted services right now and my plan was for authentik to have all the accounts.
I use Keycloak at work. How does Authentik compare?
Bitwarden is your friend.
Ah yes, they'll never obtain my password if not even I know it.
One of each please.
Use passkeys
I like the DocuSign model. Just focus on securing your one account (email) and then make all the others use it as single factor.
Until you get locked out of your email account and can no longer access anything. This happens all the time with freemail (Gmail, Hotmail, Yahoo, etc) accounts.
The contents of mails also shouldn't be considered secure. I like the idea of doing proper SSO through an email provider though - for example, using OIDC (OpenID Connect).
i do 2 and 3
Good security with easy recovery! Amazing!
My father does that by adding pepper in his password manager. And having a shitty one word master password. The whole thing is both needlessly convoluted and poorly secured. It's fucking atrocious.
If the password database is just locally stored/accessed, then it's still not as bad. Usually password compromising happens because an online service gets hacked or has a bug. That's why it's bad to use the same password multiple times. The biggest risk of having the personal machine targeted directly is via scams or other social engineering attacks. And if your dad fails those, then a strong master password wouldn't make a difference.
Image of Bodhisattva: live in a quantum state of having passwords which simultaneously exist and don't exist
