Largest Study of its Kind Shows Outdated Password Practices are Widespread::undefined
Largest study ever confirms something everyone has always known
Largest Study of its Kind Shows Outdated Password Practices are Widespread
Submitted 11 months ago by L4s@lemmy.world [bot] to technology@lemmy.world
Comments
gregorum@lemm.ee 11 months ago
ik5pvx@lemmy.world 11 months ago
Except infosec team
austinfloyd@ttrpg.network 11 months ago
It is possible that you have a bad infosec team; however, it is more likely that they need to meet outdated compliance goals (SOC 2 comes to mind here).
Infosec is unfortunately a tricky balancing act of compliance, security, and usability.
anubis119@lemmy.world 11 months ago
Password1! is out. passwordoneexclamationmark is in.
Rai@lemmy.dbzer0.com 11 months ago
PassWordW0Nexlcamationmark%%%
Pro password hours
FlyingSquid@lemmy.world 11 months ago
That’s amazing! That’s the same password I have on my luggage!
lolola@lemmy.blahaj.zone 11 months ago
Now that’s a pee four dollar sign dollar sign omega zero are dee right there
db2@sopuli.xyz 11 months ago
Something something hunter2 ha ha ha it are funy
EmergMemeHologram@startrek.website 11 months ago
Why would you bother making a comment just to not say your password? All I see is stars.
MushuChupacabra@lemmy.world 11 months ago
Something something ******* ha ha ha it are funy
What does this mean?
hushable@lemmy.world 11 months ago
nailbar@sopuli.xyz 11 months ago
That’s a pretty good password. Not *******, but the whole sentence as a whole.
LillyPip@lemmy.ca 11 months ago
So the combination is one, two, three, four, five. That’s the stupidest combination I’ve ever heard in my life! That’s the kinda thing an idiot would have on his luggage.
DemBoSain@midwest.social 11 months ago
I am tired of websites imposing limitations on passwords, but not sharing what those are. I use a password generator, and rarely know if Unicode characters are allowed, if there’s a limit on the number of characters, etc.
I’ve come across websites where dashes “-” are forbidden. My banking website only allows a maximum of 16 characters. Sometimes there’s a note below the password box, sometimes they don’t tell you until your password fails, and sometimes they don’t ever tell you. If I don’t know what the restrictions are, I’ll end up throwing a cheap password at it until I can find out what’s acceptable.
altima_neo@lemmy.zip 11 months ago
Sometimes they change the requirements, so a password that once had symbols no longer works, and you can’t log in anymore.
Nommer@sh.itjust.works 11 months ago
Even better! They’ll sometimes tell you the wrong error message like my bank used to before they redesigned the front end and backend. I couldn’t change my password there for the longest time because it kept telling me my password was not between 5-8 characters long (yes it was). Turns out I couldn’t use a - in my password. I’m glad they finally updated to to a longer password but I still can’t use a - in my password.
GrunerAffe@lemmynsfw.com 11 months ago
Banking having the incredibly low character max is insane. I made a new account recently and I wanted to use the Bitwarden passphrase generation, but even 2 words could make it too long. Plus the push for 2 factor auth with everything including crap like streaming, except they just want to email me after I’ve given my very strong passwords already…
bort@feddit.de 11 months ago
here is a tool, that helps with making secure passwords, that respect all the current and former best practices neal.fun/password-game/
kambusha@feddit.ch 11 months ago
Fun. Couldn’t get past rule 16 (chess).
June@lemm.ee 11 months ago
I moved every piece to every spot they could go and couldn’t get it. Not sure what the right answer was lol.
m3t00@lemmy.world 11 months ago
correct horse battery staple” XKCD, old phones last 4 ‘1234 5678’, transpose down a row or two ‘zxcv-ghjk’ used for years, np use a pw manager now. could tell even 1 pw
Sanctus@lemmy.world 11 months ago
Passkeys and OTPs should be the new standard. Passwords are obsolete and passphrases are too hard for the average cumsoomer.
bitwolf@lemmy.one 11 months ago
Yes. They really need to play hardball like they did with chip and pin credit card input.
(If your data is stolen and the vendor did not support chip and pin they were liable for the damages.)
Mr_Blott@lemmy.world 11 months ago
God yeah I remember the 1990s 😂
Etterra@lemmy.world 11 months ago
Just string a a few random words together, L337 up a few of them, tack on a random number or two, and throw in a punctuation mark somewhere. Then write them down in a little physical notebook.
lolola@lemmy.blahaj.zone 11 months ago
The article focuses on password requirements that websites implement, not user behaviors. Common bad practices mentioned:
Kengaro0@lemmy.world 11 months ago
Complex characters are outdated? It also refers to special characters but I guess that’s what I was thinking of. So special characters are in, so what is a complex character then?
9point6@lemmy.world 11 months ago
Length is the most important thing, everything else is somewhat secondary. We should be shifting thinking of this to passphrases rather than passwords.
I’m sure most of us have seen the “correct horse battery staple” XKCD, but that’s what people really need to think of as passwords now, not my-favourite-celebrity-but-with-the-“e”-changed-to-“3”-and-an-exclamation-mark-at-the-end.
errer@lemmy.world 11 months ago
A character that extends outside the real number line
r00ty@kbin.life 11 months ago
I think enforcing complex characters is outdated. Allowing them is enough, since someone brute forcing still needs to consider them. Of course they could try all lower, then mixed, then including complex characters in that order to catch those that don't. But still, it's better to have a password made up of compound words that is longer, than S0meth!ngV3ryC0nvolu73D. Or just pure random (aka password generator)
My main issue is places that have a maximum password length. This is firstly a limitation on security, but more importantly throws a red flag because of the potential reasons for having a password length limit!
diviledabit@lemmy.world 11 months ago
i
Potatos_are_not_friends@lemmy.world 11 months ago
Do you mean “not blocking common passwords”?
This implies that I can totally use “password1”
lolola@lemmy.blahaj.zone 11 months ago
I copied the list straight from the article, so excuse the awkward phrasing. But yes, the implication is that you could totally use “password1” on some websites.