-
35 votes
-
Maximum-severity Cisco vulnerability allows attackers to change admin passwords
26 votes -
The decline of username and password on the same page
Web devs: what's up with this trend? For enterprise apps, I get it…single sign-on needs to detect what your email domain is to send you to your identity provider. For consumers, I feel like it's...
Web devs: what's up with this trend? For enterprise apps, I get it…single sign-on needs to detect what your email domain is to send you to your identity provider. For consumers, I feel like it's gotta be one of these reasons:
- Users don't know about the tab key being able to move to other fields on a page
- Mobile users don't really have a tab key, despite there being "previous/next field" arrows on the stock iOS keyboard since its inception (Android users, help me out please)
- Users tend to hit Enter after typing in their username, leading to a form submission with a blank password
- Security, maybe? In the past I have sent a link and a password in separate emails or separate communication methods entirely. Are you hashing/salting these separately for better MITM mitigation?
Did your UX team make a decision? Are my password managers forever doomed to need a "keyboard combo" value for every entry from now on?
Non-devs: do you prefer one method over the other? If so, why?
Tildes maintainers: selfishly, thanks for keeping these together :)
71 votes -
ChatGPT is leaking passwords from private conversations of its users, Ars reader says
17 votes -
Have I Been Pwned?
38 votes -
Phasing out passwords: Apple to automatically assign each user a Passkey
57 votes -
Security expert defeats Lenovo laptop BIOS password with a screwdriver
13 votes -
Generate a secure password using lyrics from Kenny Loggins. It's funny and useful!
4 votes -
Google's adoption of passkeys (security blog article)
11 votes -
Firefox for families: The TechTalk - Making awkward tech conversations with kids slightly less awkward
5 votes -
Plex breach exposes usernames, emails, and encrypted passwords
12 votes -
I've locked myself out of my digital life
16 votes -
If you could rebuild user authentication on the web from the ground up, what would you do?
lou's post here resonated with me and my attempts to get my family to use better security practices (i.e. 2FA, password managers). They're very difficult to wrap your brain around to the average...
lou's post here resonated with me and my attempts to get my family to use better security practices (i.e. 2FA, password managers). They're very difficult to wrap your brain around to the average user, and they have the ability to create catastrophic failstates if used incorrectly. Furthermore, even when they work well, they can still be kind of clunky (different sites use different methods; writing down/printing recovery codes feels like a dated solution alongside other tech-forward things).
Also, outside of this, password requirements are their own bugbear, with nearly every site having different criteria. Even as someone who uses a password generator and manager on the regular, I still have to adjust the password creation criteria to do things like fit character limits or specific requirements (and don't get me started on forced resets!). I totally get why so many people reuse passwords, or have a default one that they sort of modify as needed to fit a given site's needs.
From my (admittedly super limited) perspective of a lay user: usernames, passwords, 2FA and the whole stack seems like something that's suffering under the technical debt of decades' worth of web development and networking. It seems like things have inched forward and many new layers have been added to address emergent problems, but the whole system gives a sort of barely-held-together-by-tape feel.
What if we could use what we know now and redesign things from the ground up? If we could start fresh, today, what might username authentication look like beyond the usual username/password combos that we're so used to?
I'm interested in any ideas -- not necessarily just feasible ones.
Also, despite me being the one prompting this thread, don't feel the need to simplify technical explanations or anything. I'm mostly interested in lurking and seeing what all you very smart techy people have to say about the topic. :)
12 votes -
Analysis of PINs
12 votes -
The Netflix password-sharing crackdown has begun
18 votes -
I'm thinking of getting a password manager. How does it work and any advice on transitioning to one?
The reason why is to make more accounts for reddit, YouTube (one for entertainment and Portuguese content each) news sites where signing up is an alternative to pass a paywall and other sites with...
The reason why is to make more accounts for reddit, YouTube (one for entertainment and Portuguese content each) news sites where signing up is an alternative to pass a paywall and other sites with comment sections.
Bad euphemism bro.Also some sense of "praxis" in order to gain privacy.Edit: And also getting anxious at the idea of remembering all my passwords, and putting them in a note in my old phone, which I am not bringing into my new phone and want to use this to delete.
According to these two articles, I can save my old passwords I had before and maybe even still make new ones after, and put them in a folder behind one true (master) password, which is the one you will truly care about, and they will be saved in a way in which the managing company won't know your password?
There's also figuring out which provider to use (and probably a similar post for alt-mail providers.) This is overwhelmingly for mobile (Android). No real space constraints for apps, only price, because I'm not working age.
27 votes -
Dutch researcher claims that he accessed US President Donald Trump's Twitter account by guessing password
21 votes -
Gopass - The team password manager
7 votes -
Jam lets you safely share streaming app passwords
9 votes -
Generated passwords, UX and security absolutism
17 votes -
It’s time to plan for a future beyond passwords
11 votes -
1Password has raised $200 million from Accel
16 votes -
What password manager, if any, would you recommend?
After being skeptic of password managers for a long time, I've decided to take the plunge and get one installed. The burden of remembering dozens of passwords is simply getting a bit too much. So,...
After being skeptic of password managers for a long time, I've decided to take the plunge and get one installed. The burden of remembering dozens of passwords is simply getting a bit too much. So, I was wondering if anyone here has any recommendations of password managers? Maybe one you or a trusted friend use? Or maybe you think password managers are rubbish, and want to share you opinion?
Any suggestions are welcome, in the interest of fostering discussion/having the thread be useful to other people too. But in my specific use case, I want to be able to sync between devices. I'd prefer something open source, but it's not a requirement.
25 votes -
Interview with Google's login chief about passwords vs. single sign-on
8 votes -
Samsung spilled SmartThings app source code and secret keys
5 votes -
Facebook stored hundreds of millions of user passwords in plain text for years
27 votes -
What would be a good security setup for me?
So: I keep all my passwords in my password manager (Bitwarden) All my 2FA codes are generated by AndOTP on my phone. My 2FA backup codes are also in Bitwarden, which I think is a bad idea, because...
So:
- I keep all my passwords in my password manager (Bitwarden)
- All my 2FA codes are generated by AndOTP on my phone.
- My 2FA backup codes are also in Bitwarden, which I think is a bad idea, because that defeats the purpose of 2FA. So where should I put those?
- I have my Bitwarden 2FA backup code in my wallet and in a safe at my house. Is that a good idea for the other backup codes?
- Is there anything I'm forgetting here?
8 votes -
Why 'ji32k7au4a83' is a remarkably common password
57 votes -
Android is helping kill passwords on billions of devices
11 votes -
Is a password manager essential?
I feel like it's impossible to remember passwords that are long, random, and unique for every service. I have too many accounts. On the other hand, I don't like the idea of giving up control of my...
I feel like it's impossible to remember passwords that are long, random, and unique for every service. I have too many accounts.
On the other hand, I don't like the idea of giving up control of my passwords to a password manager and using the ones it generates and stores. It feels weird that I wouldn't "know" my passwords.
Is this a hangup I should just get past? What do I do if I need to login somewhere but cannot access my password manager?
30 votes -
Managing my passwords with KeePassXC and friends
13 votes -
What I learned from the hacker who spied on me
7 votes -
Unsecured database of millions of SMS text messages exposed password resets and two-factor codes
19 votes -
"Password killer" solutions aren't widely adopted because of usability reasons - even though they may be technically inferior, everyone understands passwords
21 votes -
Weak default passwords for internet-connected devices banned in California from 2020
19 votes -
Over 1400 Western Australian government officials used 'Password123' as their password
27 votes -
Which password manager do you use and recommend?
I currently use Lastpass, and while I'm overall happy with what I have right now, some issues (like slow firefox support, android functionality that only works arbitrarily) makes me want to look...
I currently use Lastpass, and while I'm overall happy with what I have right now, some issues (like slow firefox support, android functionality that only works arbitrarily) makes me want to look at other solutions.
I have heard about other popuar managers like Keepass and Bitwarden, but haven't made the plunge yet. So I thought I could kickstart a discussion on this topic.
Which password manager do you use or have you used? Why do you recommend it (or not)?
28 votes -
Who will know your passwords after you die?
38 votes