Comment on No, Steam wasn’t hacked, and your account details are safe
scops@reddthat.com 2 days agoI believe the main concern for periodic password changes is that most people won’t take the time to generate unique passwords each time. They will typically iterate a password over time, meaning a couple leaked passwords will narrow down guesswork to a trivial number of guesses and remove the benefit of the timed changes.
NIST no longer recommends password expirations except for cases where it is believed that a breach occurred.
JustAnotherKay@lemmy.world 2 days ago
The other issue with periodic password changes, particularly in the workplace but also relevant in normal life, is that it causes people to write down their password. The issues with that should be glaring enough
ripcord@lemmy.world 1 day ago
What if they write it down in a single, centralizedz password manager? Which itself could be compromised?
That’s the only way I can keep the literally 100 accounts ive accumulated over the years straight, without reusing passwords.
And while I believe that is reasonably secure in my case, if that got compromised I’d be pretty screwed (well, 2fa would probably still limit the worst of it). But most people probably wouldn’t even be that secure about it.
mic_check_one_two@lemmy.dbzer0.com 1 day ago
Because it’s about reducing attack vectors, and your password manager isn’t likely going to be a vector. Attackers are going to try and net as many users as possible, which means (aside from heads of state or C-suite executives being spear phished) they aren’t targeting individuals… They’re targeting the companies that those individuals have accounts with. Essentially, you as an individual aren’t important enough to bother trying to hack individually. As long as your password manager has a sufficiently long password, (and you’re not one of the 1% of individuals who are rich or powerful enough to actually target), hackers won’t even bother trying.
With shared passwords, every single service you use is a potential attack vector; A breach on any of them becomes a breach on all of them, because they’re all using the same credentials. And breaches happen all the time, both because any single individual employee can be a potential weakness in the company’s security, (looking at the accountant who plugged a “lost and found” flash drive into their computer, and got the entire department hit with ransomware), and because the company is more likely to be targeted by attackers. With unique passwords and a manager, a breach on any service is only a breach on that service.
So by using a password manager, you essentially accept that breaches in individual companies are inevitable and out of your control, and work to minimize the damage that each one can do.
GreyEyedGhost@lemmy.ca 1 day ago
I asked my company if I could use a password manager and they said no. So now they get a set of rotating passwords that are the same for all my work accounts. It doesn’t really bother me - it’s their data, not mine.