Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email's inbox )!
.. Its still a shit security design. Better to have username, pass and a security key hehe
It's all good until you get into a dependency loop with your email account passwords needing resetting, that have the email from the other account that needs resetting :P
I've been through that hell with my son. He was struggling with mental health issues and locked himself out of his phone, apple account and Google (Gmail). He eventually just started over with new everything. I did convince him to use email address on my domain so that he would always be able to get recovery emails.
If websites could just remind me on the login in screen what their password requirements are that would help me a LOT.
So many times I start going through the "forgot my password" steps and then when I see the password requirements are "at least 10 characters long with 2 unique symbols" I remember what it was and can go back and log in.
But don't use lastpass, they are the most popular, and with the largest breach history. In fact, if you are capable of the admittedly high bar of self hosting, use bit warden instead.
Fun fact: it would take about 37 billion years on average (at current (known) tech) to brute force a 16 character alphanumeric password which uses uppercase ie. using at least one of each of a-z,A-Z,0-9
Adding special characters would not make it easier.
A trillion years seems like a long time.
(Unless your password is ThisIs4Password!)
Brute Force attacks haven't been effective for decades. Not since they implemented delays between attempts and times outs/lock outs for too many failed attempts.
There was one time I was traveling and had to reset one of my passwords. It sent a verification code via email but my email provider wouldn’t let me login because I was in a different country I’ve never been to before. So it was a train of recovery processes to reser my password on a single account.
Run a VPN server at home, any decent router should be able to run one. Then you can be anywhere in the world and every site will still think you are at home.
The big brain move is going to reset your password, getting told you can't use your current password when you type in a "new" one, then going back to the login screen to log in.
Big brain move is going to reset your password, seeing what their obscure password requirements are, then remembering your password and going back to the login screen to log in.
My employer software has us log in with just our password, no username. I don't know exactly what's going on in the backend but I know I don't like it.
The highly regarded password policy of my last employer was one of the many things that pushed me over the edge and made me leave for greener pastures. I had to manage something like 9 different passwords, with the main one having changed to 16 chars min with all of the usual number/symbol/CAP requirements.
It won't destroy the .csv file, but your (below standard) client might have issues reading it. That woman from The Office knows those are not the same thing.
I have relatively long Passwords, because why not, and had problems with pages restricting the number of characters you can enter in the login window, but not the registration window. Or restricting password length and cutting your password off, but not telling you about it, so you gotta figure out that they set the first 30 characters of the saved password as your password.
Always fun to deal with. I could make it a lot easier for me by just using shorter passwords, but I think deep down I'm a masochist.
The worst version of this I’ve ever seen is a site that enforced a password policy on the “current password” field on the “change password” interface. I had an existing password that violated their policy (either because they changed the policy or a technician created a “temporary” password for me, I forget), and I could not change it to a proper password because my current password would get rejected.
I have several password manager plugins installed on my browser, along with the built-in password managers in the browser and the OS itself, because I like seeing them all fight over the password field.
For any self-hosted services you use, run something like Authentik and configure all the apps to use it for auth via OIDC (OpenID Connect). Makes the experience a lot nicer, instead of every service having its own separate user system.
One feature Authentik has that I don't think Authelia nor Keycloak support is operating as an LDAP server. With Authelia at least, you have to run a separate LDAP server if you need LDAP. With Authentik, it's built in.
Until you get locked out of your email account and can no longer access anything. This happens all the time with freemail (Gmail, Hotmail, Yahoo, etc) accounts.
The contents of mails also shouldn't be considered secure. I like the idea of doing proper SSO through an email provider though - for example, using OIDC (OpenID Connect).
My father does that by adding pepper in his password manager. And having a shitty one word master password. The whole thing is both needlessly convoluted and poorly secured. It's fucking atrocious.
If the password database is just locally stored/accessed, then it's still not as bad. Usually password compromising happens because an online service gets hacked or has a bug. That's why it's bad to use the same password multiple times. The biggest risk of having the personal machine targeted directly is via scams or other social engineering attacks. And if your dad fails those, then a strong master password wouldn't make a difference.