Largest Study of its Kind Shows Outdated Password Practices are Widespread::undefined

  • lolola@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    97
    ·
    1 year ago

    The article focuses on password requirements that websites implement, not user behaviors. Common bad practices mentioned:

    • Permit very short passwords
    • Do not block common passwords
    • Use outdated requirements like complex characters
    • Kengaro0@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      1
      ·
      1 year ago

      Complex characters are outdated? It also refers to special characters but I guess that’s what I was thinking of. So special characters are in, so what is a complex character then?

      • 9point6@lemmy.world
        link
        fedilink
        English
        arrow-up
        52
        ·
        1 year ago

        Length is the most important thing, everything else is somewhat secondary. We should be shifting thinking of this to passphrases rather than passwords.

        I’m sure most of us have seen the “correct horse battery staple” XKCD, but that’s what people really need to think of as passwords now, not my-favourite-celebrity-but-with-the-“e”-changed-to-“3”-and-an-exclamation-mark-at-the-end.

        • wavebeam@lemmy.world
          link
          fedilink
          English
          arrow-up
          12
          ·
          1 year ago

          Nah fuck that. Sites need to adopt this passkeys instead. It’s an impossible task for people to have unique credentials for every site, even if they are “memorable”. This is a design issue not a personal responsibility one. When designing for large volumes of people, you have to assume that the majority will do something easy and stupid over difficult and smart.

          • GissaMittJobb@lemmy.ml
            link
            fedilink
            English
            arrow-up
            12
            ·
            1 year ago

            Until they do, password managers get you most of the way there, by letting you have a single password on your side, mapping to one password for each login. Bitwarden is great, and free.

          • themoonisacheese@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            9
            ·
            1 year ago

            Sites need to stop needing an account for everything. My haveibeenpwnd is full of sites that I can’t believe had my email in the first place. Obviously I gave it to them but like cmon

        • cheese_greater@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          Thanks for this, I knew the concept but I’ve always had a hard time putting it to words. Yeah, its not like they increase the entropy or anything. Same with diacritics

          Reminds me of when Michael tells Dwight he and Jim make different amounts: its not about higher or lower, its just different

          • Claidheamh@slrpnk.net
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            Either you or I got wooshed, cause I thought that was a maths joke, not actually an answer.

            • cheese_greater@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              If your password is onky made up of numbers and there’s no or a faulty anti-replay feature, you can just keep tryinguntil you iterate to the right password.

              People used to do it with 4 digit PINs

      • r00ty@kbin.life
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        I think enforcing complex characters is outdated. Allowing them is enough, since someone brute forcing still needs to consider them. Of course they could try all lower, then mixed, then including complex characters in that order to catch those that don’t. But still, it’s better to have a password made up of compound words that is longer, than S0meth!ngV3ryC0nvolu73D. Or just pure random (aka password generator)

        My main issue is places that have a maximum password length. This is firstly a limitation on security, but more importantly throws a red flag because of the potential reasons for having a password length limit!

        • 9point6@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Depends on the limit really, if the limit is 32 characters or something like that, definite red flag.

          If the limit is something like 250 or more characters, I’m more inclined to believe it’s basic protection from all the things that can go wrong when someone repeatedly POSTs whatever the maximum amount of garbage that your server’s request limit allows, at an API that performs cryptographic work.

      • lolola@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I copied the list straight from the article, so excuse the awkward phrasing. But yes, the implication is that you could totally use “password1” on some websites.