If you think about it the last option is a way to use login via 2fa
Nah it’s just SFA with extra steps.
Magic link login with extra steps
This is more correct
But you only need one factor, access to your inbox?
So it’s more like SSO authentication
SSO without 2FA
Unless your email has 2fa?
Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email’s inbox )!
… Its still a shit security design. Better to have username, pass and a security key hehe
Hmh, I guess, though I feel this is a bit more complicated. What if you can look up the username in the registration mail sent to the inbox? Or it’s a site that uses email addresses as usernames? Is it knowing if said knowledge is inferrable from the thing you have?
I think you got it wrong what i meant (?)
Imagine i register on a website with my username ( DacoTaco ) and email ( someEmail@domain.com ). When i want to reset my password and click the “forgot password” link, it would ask my username, not my email address (something i know) and send me an email ( to someEmail@domain.com ) without reporting what email it sent it too. That way it could be considered a separate identity factor i think (access to the mailbox, something you have ).
Websites generally dont work this way, i know. But thats how id implement it :')Thanks for clarifying. I was mostly trying to apply that scenario to a likely real world one, but there’s definitely cases in which it could be two factor.
Shit, are we getting to that point where all non-password logins are “2fa” like how all denial of services are “DDoS”
It’s all good until you get into a dependency loop with your email account passwords needing resetting, that have the email from the other account that needs resetting :P
That’s easy, just create new accounts every time you login.
And everything is done in Tails.
Can’t one open multiple tabs open at once?
If websites could just remind me on the login in screen what their password requirements are that would help me a LOT.
So many times I start going through the “forgot my password” steps and then when I see the password requirements are “at least 10 characters long with 2 unique symbols” I remember what it was and can go back and log in.
Or just use a password manager and solve that problem yourself right now forever.
But don’t use lastpass, they are the most popular, and with the largest breach history. In fact, if you are capable of the admittedly high bar of self hosting, use bit warden instead.
Why? Bitwarden has a free tier you don’t have to self host
But don’t use lastpass, they are the most popular, and with the largest breach history.
This is exactly why I don’t want to use a password manager. Storing all my passwords in one place online doesn’t exactly sound secure.
I would rather recommend using KeepassXC, and storing and syncing the database with your other devices using Syncthing. Supereasy to set up, and works flawlessly with my pc and my phone.
KeepassXC has nice features like global autotype btw, so for webpages i can insert my payment information with one hotkey. no need to save your CC in your browser.
Right? I’m right with you. I keep a password book I can lock up in the safe. No online hacker can get to that.
I use a pattern relative to the site name, with a different email address for every site also relative to the site name. The pattern means the password is always different but I always know that it is.
For 99% of people an online password manager like Bitwarden or LastPass is going to significantly help them manage passwords securely despite the risks associated with cloud services. Most people can’t handle self hosting Bitwarden or syncing a Keepass database by themselves. Without an easy to access and easy to use online option people will revert to significantly riskier methods like password reuse or using some sort of repeatable/guessable pattern.
For the 1% of people who want more security there are options like Vaultwarden or Keepass. Even then it’s not uncommon to make mistakes and lose data/access or leave some sort of vulnerability exposed. The attack surface is a lot smaller than a public service though which is beneficial.
1Password is an option. It’s all stored in one place, sure. But you need the encryption key and password to access it. No one but you has that key, and if you lose/forget it you lose your passwords forever. Not even the company can recover your passwords from that.
In fact, if you are capable of the admittedly high bar of self hosting, use bit warden instead.
Vaultwarden, typically, because it’s fully free and more resource efficient. But bitwarden as the client of course.
Listing those requirements up front would make things way easier for brute force attackers
Listing those requirements up front would make things way easier for brute force attackers
They list all those requirements when you try to create an account. If anyone wants to try to brute force they already have that info.
Fun fact: it would take about 37 billion years on average (at current (known) tech) to brute force a 16 character alphanumeric password which uses uppercase ie. using at least one of each of a-z,A-Z,0-9
Adding special characters would not make it easier. A trillion years seems like a long time. (Unless your password is ThisIs4Password!)
https://www.komando.com/wp-content/uploads/2021/03/Passwords-chart-970x510.jpg
Also, online logins should lock you out temporarily after a few failed attempts anyway, making brute force a complete non issue.
Also also, if you’re going to try to brute force someones pw, you would just look up the requirements beforehand anyway.
If you brute force using single iterations of all possible combinations sure. But people don’t do that. They use fully readable passwords and letter substitutions. This makes dictionary attacks viable. There are a known number of readable words and phonetic combinations that are significantly easier to brute force. And also the vast majority of numbers are also guessable because most numbers are dates. Series of 2 or 4 or 8 numbers to form important dates means there are lots of numbers between 1940-2024. People don’t usually unconditionally random alphanumeric passwords. Therefore peoples passwords will never be fully secure against sufficiently advanced brute force methods.
I originally included the words “assuming random” to the post. Why I removed it? I guess for dramatic effect. You are correct. Permutations of dictionary words are relatively trivial for a decent program. But, increasing the length and the addition of special characters adds a nontrivial exponential increase in time, wouldn’t it?
Brute Force attacks haven’t been effective for decades. Not since they implemented delays between attempts and times outs/lock outs for too many failed attempts.
There was one time I was traveling and had to reset one of my passwords. It sent a verification code via email but my email provider wouldn’t let me login because I was in a different country I’ve never been to before. So it was a train of recovery processes to reser my password on a single account.
I can smell the Linux crowd rushing to suggest a better method.
Use a password manager like bitwarden or keepass
Run a VPN server at home, any decent router should be able to run one. Then you can be anywhere in the world and every site will still think you are at home.
How would they be able to do that if they were already out of the country? Or is it something that “everyone” should set up?
That’s something that should be set up before leaving. You wouldn’t be able to do it away from home unless you already had remote access to a computer running at home or if your router had remote access enabled.
They would have to set it up before leaving. Or have someone in the household change their router settings to enable it and share the details with them.
If you ever look at local WiFi networks in most residential areas you will see 90%+ use the default router supplied by thier isp. Also using the default SSID and password printed on the router. Most wouldn’t even venture into the routers web page to change the settings. So the likelihood someone would configure this is low.
If you don’t already, change your default WiFi SSID and password. It makes it easier to share with visitors, you can use the same ones when you switch routers (saves reconfiguring all devices). It also removes the possiblity of your ISP leaking the SSID and password to anyone. If it’s been printed, then it isn’t encrypted when stored. Many ISPs have lost lots of customers data in breaches, many of which they resit making public.
The big brain move is going to reset your password, getting told you can’t use your current password when you type in a “new” one, then going back to the login screen to log in.
And have the password still not work.
Big brain move is going to reset your password, seeing what their obscure password requirements are, then remembering your password and going back to the login screen to log in.
I really wish sites with those stupid restricted complexity requirements would just say what they are on the login screen.
“We only allow ‘&#@!()’ because we don’t understand password security, you’re welcome.”
We have the worst password policy I’ve ever dealt with at my current employer.
Create a new account every time?
Change password every day, and the required password length and complexity increases each time you change your password.
Password game irl
Bitwarden has a password generator that you can set criteria for, been really helpful with one of my janky logins
My bank has, for being a bank, very very bad character support. Best thing is, I’m basically gonna work for that bank.
For years my bank only allowed numerical passwords. The maximum length was 8.
They changed it somewhat recently.
But they had a strict lockout policy, right? Right?
me when my bank is less secure than a fucking door lock
One of the largest banks in Australia (Westpac) used to require passwords to be exactly 6 characters (no more, no less) and they were case insensitive. It also had a fun ‘denial of service’ attack built-in: If you got it wrong three times, it’d lock the account and force you to go to the bank to unlock it, meaning anyone that knew your bank username could lock you out of your account and cause some pretty big headaches. Fun.
In fact, I’m not sur whether they ever fixed this. Haven’t used their services in a long time.
The highly regarded password policy of my last employer was one of the many things that pushed me over the edge and made me leave for greener pastures. I had to manage something like 9 different passwords, with the main one having changed to 16 chars min with all of the usual number/symbol/CAP requirements.
My employer software has us log in with just our password, no username. I don’t know exactly what’s going on in the backend but I know I don’t like it.
Forgot to add “Add a comma in your password, so if the all the user logins get leak, it will destroy the CSV file it gets uploaded to”.
It won’t destroy the .csv file, but your (below standard) client might have issues reading it. That woman from The Office knows those are not the same thing.
Add a drop table statement to it while you’re at it
Step 1) Activate 2-Factor authentication
Step 2) Authentication system fucks up
Step 3) Locked out of your own account
True story. x2
There is also use a password manager and reset the password everytime because the site blocks them and locks it out.
I have relatively long Passwords, because why not, and had problems with pages restricting the number of characters you can enter in the login window, but not the registration window. Or restricting password length and cutting your password off, but not telling you about it, so you gotta figure out that they set the first 30 characters of the saved password as your password.
Always fun to deal with. I could make it a lot easier for me by just using shorter passwords, but I think deep down I’m a masochist.
The worst version of this I’ve ever seen is a site that enforced a password policy on the “current password” field on the “change password” interface. I had an existing password that violated their policy (either because they changed the policy or a technician created a “temporary” password for me, I forget), and I could not change it to a proper password because my current password would get rejected.
I have relatively long Passwords, because why not
Typos is why I don’t make mine longer or more complicated.
That strongly depends on whether you are allowed to copy and paste:-)
If I can’t paste my password I will almost always choose not to use the site, if I have the option. I can’t understand why they would prevent that.
https://gist.github.com/JeninaAngelin/d87c67e33f6dfda46fff723121cd622a
A good password wallet clears the clipboard after a timer expires.
Bitwarden inserts them automatically, and if I ever have to do it manually for some reason, it just doubles the fun. Hasn’t happened to me yet, though.
I have several password manager plugins installed on my browser, along with the built-in password managers in the browser and the OS itself, because I like seeing them all fight over the password field.
Sign a random string with your private key to be verified by a public key on server.
You’re describing Passkeys/WebAuthN
Can you send the link for it? I was unaware of this.
Just need a password to sign now. 🥲
Whenever I feel that my passwords are insecure, I offer them a few encouraging words.
Hey, unrelated question, what’s the mother’s maiden name of your password?
If I told you, then my password would be insecure. You see, that’s a sensitive case for them.
This comment has big ‘i did a thing’ energy. Alex, is that you?
For any self-hosted services you use, run something like Authentik and configure all the apps to use it for auth via OIDC (OpenID Connect). Makes the experience a lot nicer, instead of every service having its own separate user system.
I use Keycloak at work. How does Authentik compare?
I’ve never tried Keycloak so I’m not sure, sorry.
One feature Authentik has that I don’t think Authelia nor Keycloak support is operating as an LDAP server. With Authelia at least, you have to run a separate LDAP server if you need LDAP. With Authentik, it’s built in.
I guess I’ll have to do the research myself. Ohh bother. I can tell you that Keycloak can use a postgresql db or ldap but it is not built in. I honestly really dislike LDAP though. It’s an old protocol that has terrible client support and the only real reason to use it imo is if you need to support really high number of users and traffic, like in the millions.
I don’t like it either, but there’s probably some apps that only support LDAP.
You still want a local account though. Learnt that the hard way.
Why? In case authentik goes down, so you can recover data? Or something else?
I am settting up authentik and other selfhosted services right now and my plan was for authentik to have all the accounts.
Bitwarden is your friend.
Ah yes, they’ll never obtain my password if not even I know it.
Use passkeys