17 votes

Passwords

This will probably be controversial, but I disagree with the current password policy. Checking against a list of known broken passwords sounds like a good idea, but that list is only ever going to get bigger. The human factor has to be taken into account. People are going to reuse passwords. So whenever their reused password gets hacked from a less secure site, it's going to add to that list.

Ideally, a password would be unique. Ideally, users should maybe ever use a password manager that generates garbage as a password that no one could hack. An ideal world is different from reality. Specific requirements are going to lead to people needing to write things down. In the past, that was on paper, like Wargames. Now, it's going to lead to people pasting their username and login into text documents for easy reference. That's probably what i'm going to have to do. Was my previous method of reusing passwords safe? No. Will my new method of remembering passwords be safe? Probably not either.

I'm not entirely sure what all the account security is about, either. For my bank, sure, a complex password. I have a lot to lose there. For an account on a glorified message board? There's better ways to establish legitimacy. 4chan, of all places, dealt with this (nod to 2chan), by having users enter a password after their username that got encoded and displayed as part of their username to verify that they were, in fact, the same user.

So the topic for discussion would be, what's the endgame here? Where is the line drawn between usability and security? I may well be on the wrong side of this, but I think it's worth discussing.

Edit: I think there may be some good reasons, evidenced in this reply. I think it was a good discussion none the less, since it wasn't obvious to me and perhaps not to other people.

Edit 2: I'm going to hop off, but I think there's been some good discussion about the matter. As I said in the original post "I may well be on the wrong side of this". I may well be, but I hope I have addressed people well in the comments. Some of my comments may be "worst case" or "devil's advocate" though. I understand the reason for security, as evidenced above, but i'm unsure about the means.

78 comments

  1. [19]
    Deimos (edited ) Link
    I worked at reddit for years and personally dealt with the effects of thousands upon thousands of accounts being compromised and used to spam, vote-cheat, etc. It was almost always because people...

    I worked at reddit for years and personally dealt with the effects of thousands upon thousands of accounts being compromised and used to spam, vote-cheat, etc. It was almost always because people use bad passwords and re-use their bad passwords. I had to repeatedly spend days or weeks dealing with the fallout from that, helping people recover access to their accounts, and so on. I'd really like to avoid needing to repeat that here.

    You're right that the value of an individual account is low, but people don't compromise one account and stop. Allowing weak/re-used passwords enables large-scale compromises ("credential-stuffing attacks"), and that's the real issue.

    The current method of blocking all known-breached passwords is widely recommended, including by NIST:

    When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

    • Passwords obtained from previous breach corpuses.
    • Dictionary words.
    • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
    • Context-specific words, such as the name of the service, the username, and derivatives thereof.

    If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.

    Generate a random password for every site. Store it in a password manager, text file, or just write it down on a piece of paper. Yes, it's less convenient than using the same password everywhere. That's exactly the point.

    47 votes
    1. AlphaOC (edited ) Link Parent
      Thanks. I wont disagree with you for providing first hand information. The current system is inconvenient, but since you provided legitimate, first hand information, i'm willing to accept that...

      Thanks. I wont disagree with you for providing first hand information. The current system is inconvenient, but since you provided legitimate, first hand information, i'm willing to accept that there is a reason for it. It might be worth explaining to new users the reason why things are the way they are in a bit more verbose way than is done on the new user registration pages.

      Saw your post (edited 47 seconds ago)

      I didn't notice anything different, but nice to know you care? <3

      Edit 2: still not sure what you changed, because it all looks the same to me but: 7 hours, 15 minutes ago
      (edited 18 minutes ago)

      It's nice to see site admins that are on top of stuff? That said, might I suggest some sort of wiki bit? Like, when a post gets edited, let us read the changes. Some are obviously benign (spelling) but some will be changing the dialogue.

      5 votes
    2. [10]
      meghan Link Parent
      While I don't disagree, my main beef on why I haven't personally signed up for a password manager is because its not a practical solution. It only works on your browser, and browsers in general...

      While I don't disagree, my main beef on why I haven't personally signed up for a password manager is because its not a practical solution. It only works on your browser, and browsers in general for that matter. There are a lot of places where the flow just doesn't work.

      2 votes
      1. [3]
        Deimos Link Parent
        That depends entirely on which password manager you use. There are many options that work outside a browser.

        That depends entirely on which password manager you use. There are many options that work outside a browser.

        14 votes
      2. acdw Link Parent
        As @esrever says below, KeepassXC works for me on my phone, laptop (all browsers) and at work thru using KeePass Portable. I'll see if I can write up my method today and post it here.

        As @esrever says below, KeepassXC works for me on my phone, laptop (all browsers) and at work thru using KeePass Portable. I'll see if I can write up my method today and post it here.

        5 votes
      3. tindall Link Parent
        I use pass, the Unix password manager, on every computer I own and my phone with Password Store from F-Droid.

        It only works on your browser, and browsers in general for that matter.

        I use pass, the Unix password manager, on every computer I own and my phone with Password Store from F-Droid.

        4 votes
      4. cfabbro Link Parent
        I don't quite understand what you mean by that. Most password managers allow copy/pasting passwords from the password vault so you can use them outside the browser (e.g. to login to external...

        a password manager is because its not a practical solution. It only works on your browser, and browsers in general for that matter. There are a lot of places where the flow just doesn't work.

        I don't quite understand what you mean by that. Most password managers allow copy/pasting passwords from the password vault so you can use them outside the browser (e.g. to login to external applications), and also have associated phone apps which allow the same. So how much more practical can you get?

        2 votes
      5. tomf Link Parent
        Check out https://bitwarden.com -- its got good support for Win/MacOS/*Nix along with CLI, mobile, and browser. I've used all major password managers for extended periods of time, and, for me,...

        Check out https://bitwarden.com -- its got good support for Win/MacOS/*Nix along with CLI, mobile, and browser. I've used all major password managers for extended periods of time, and, for me, Bitwarden has been the most headache-free experience.

        It just works.

        2 votes
      6. masochist Link Parent
        There are many options that sync across all of your devices, too. I really like Apple's keychain because it works not only in browsers but in any app on the iOS that is written to support password...

        There are many options that sync across all of your devices, too. I really like Apple's keychain because it works not only in browsers but in any app on the iOS that is written to support password managers (which isn't hard). Really, there is seriously no reason not to use a password manager. It is exactly like vaccination. You are only hurting yourself and everyone else by not using one.

        1 vote
      7. gyrozeppeli Link Parent
        Well, that's not really quite accurate. Others have noted KeepassXC, while I have used masterpasswordapp for years now, which has no plugins. On a laptop I use their js website or the ios app on...

        Well, that's not really quite accurate. Others have noted KeepassXC, while I have used masterpasswordapp for years now, which has no plugins. On a laptop I use their js website or the ios app on mobile.

        1 vote
    3. [6]
      tak Link Parent
      This explanation needs to be front and center, not buried in the comments. Basically it's worth rewording this restriction to explicitly say that some passwords are blacklisted due to an elevated...

      This explanation needs to be front and center, not buried in the comments.

      Basically it's worth rewording this restriction to explicitly say that some passwords are blacklisted due to an elevated risk of account compromise and associated admin overhead. Without getting into why they are blacklisted. That is, that's the blacklist exists to help the forum operators.

      Because the way it reads now is that this is done for the users, which comes across as gratuitous. I've used pass1234 for all forum accounts since the BBS times, because I really don't care about any of them in the beginning and treat them all as throw-aways. If some forum proves to be nice, only then I would go and change the password to something unique.

      So when told that here I need to select something unique from the get-go for my own sake, it just doesn't read right. Nope, I really don't need that. But if you ask nicely and explain that it's for forum's sake, then it makes sense and it's not a big deal.

      1 vote
      1. [3]
        masochist Link Parent
        The behavior you've described is grossly irresponsible and selfish. Password security is exactly like vaccinations: when we all practice good password security, we all benefit. The moment someone...

        The behavior you've described is grossly irresponsible and selfish. Password security is exactly like vaccinations: when we all practice good password security, we all benefit. The moment someone decides they don't want to vaccinate their kids be a responsible netizen with a secure password, their account gets compromised. Just because you can't think of a reason to value your account it doesn't mean no one else can. It doesn't mean there's no attack surface exposed by a compromised account. Maybe someone can use the information visible in your account, amalgamated with information in other accounts, to gain even greater access to the site.

        Furthermore, do you really not value the privacy of your accounts at all? I can understand having the position that you don't trust your accounts to be secure, at all, ever, but arguably that's not how things should be. We should be able to trust that our accounts have some degree of privacy and security.

        9 votes
        1. [2]
          tak Link Parent
          Bah, get off your high horse. There's a bunch of forums that have nonsense restrictions in place and force creating an account for no other reason but to collect email addresses and grow their...

          Bah, get off your high horse.

          There's a bunch of forums that have nonsense restrictions in place and force creating an account for no other reason but to collect email addresses and grow their "registered user base". So, yeah, you can bet your passive-aggressive antivax jab that the only thing they will see from me will be an @grr.la email and password for the password.

          1 vote
          1. cfabbro (edited ) Link Parent
            It's not an anti-vax "jab"... it's an entirely appropriate comparison in this case! Password security is very similar to herd immunity and people with poor passwords are very much like the...

            It's not an anti-vax "jab"... it's an entirely appropriate comparison in this case! Password security is very similar to herd immunity and people with poor passwords are very much like the unvaccinated, in that when their accounts (immune system) get compromised it affects everyone else in that community negatively, even those with good passwords (vaccinations). Not only because compromised accounts tend to be used for nefarious purposes like spamming, astroturfing, vote manipulation and shilling, which increases the overall noise and decreases quality on the site, but also because combating that abuse and helping users recover their compromised accounts takes away developers from actually, y'know, developing the site... see Deimos' reply at the very top of this topic.

            You're basically arguing that forcing you to have a good password is inconvenient, and that's true... but IMO you're failing to see the bigger picture on why that's not a valid enough reason to allow bad passwords to be used. Just because you don't care if your account gets stolen, doesn't mean nobody else does or is unaffected by it when it happens.

            8 votes
      2. [2]
        Deimos Link Parent
        It's for everyone's good. In my experience, people love to say things like, "lol it's just a forum account who cares?", but then down the line they get locked out of their account and you get a...

        It's for everyone's good. In my experience, people love to say things like, "lol it's just a forum account who cares?", but then down the line they get locked out of their account and you get a bunch of frantic messages that look something like:

        oh my god I really need my account back and I know it had a fake email address on it but I know what the fake address is so can I please just tell you that and you use that as proof because I've had that account for 5 years and its the same name that I use everywhere and it's really important because I don't remember what all my subscriptions are and I had a bunch of posts bookmarked and some important messages with people whose names I can't remember and I had a reputation on the trading forum and I don't want to start over because that took years and I can definitely prove its my account please just look at my ip address or I posted a picture of my dog one time and I can take another photo of the same dog so that you know its my account and please I just really need it back

        This thread has a few hundred examples.

        4 votes
        1. tak Link Parent
          That was not the point. What I was saying that framing it as being good for the users comes across as patronizing. You are likely to get less flak and friction if the message was saying it's...

          It's for everyone's good.

          That was not the point. What I was saying that framing it as being good for the users comes across as patronizing. You are likely to get less flak and friction if the message was saying it's required for the forum's good first and foremost... in which case, for example, this whole thread would've not existed to begin with :)

          1 vote
    4. nic Link Parent
      I'm always impressed with how elegant your site is.

      I'm always impressed with how elegant your site is.

      1 vote
  2. [3]
    deing Link
    I'd argue keeping a text file on your computer (hostile access to which would imply a breach of your computer, and therefore anything else, anyway) is incredibly more safe than using a password...

    I'd argue keeping a text file on your computer (hostile access to which would imply a breach of your computer, and therefore anything else, anyway) is incredibly more safe than using a password known to be broken.

    18 votes
    1. masochist Link Parent
      It is. If someone compromises your computer, they can do things like install a keylogger which can then sniff the password to unlock your password manager. This is why you keep your computer up to...

      It is. If someone compromises your computer, they can do things like install a keylogger which can then sniff the password to unlock your password manager. This is why you keep your computer up to date on security patches, especially if it's running Windows.

      5 votes
    2. AlphaOC Link Parent
      You may be right about that. As I said at the end, I think it's a point to debate. I'm not sure what the goal of the people who run the site is regarding security.

      You may be right about that. As I said at the end, I think it's a point to debate. I'm not sure what the goal of the people who run the site is regarding security.

      1 vote
  3. [13]
    Bauke Link
    If you use new, unique (somewhat complex) passwords for everything and have a password manager or even just a document written down (either digital or analog) then yeah you don't necessarily...

    If you use new, unique (somewhat complex) passwords for everything and have a password manager or even just a document written down (either digital or analog) then yeah you don't necessarily benefit from it.

    The thing is, most people use one password everywhere and integrating HaveIBeenPwned's utilities and informing those people that their password may have been compromised could be a wake up call and alert them that they're at risk. In that case, if a glorified messaging board tells them "this password is a bad password" is a good thing. Even Firefox is gonna start doing this.

    11 votes
    1. [12]
      AlphaOC Link Parent
      I don't disagree with what you're saying, but requiring new (possibly unique) passwords may open people up to other security threats. Just asking people if they want to use a password that is...

      I don't disagree with what you're saying, but requiring new (possibly unique) passwords may open people up to other security threats. Just asking people if they want to use a password that is known to be vulnerable is one thing. Requiring people to use a different password is another. I'm probably going to have to write the password for this down, because all my others are on the list. That list is going to expand. I can't remember all the passwords. There are external solutions, like password managers, but that isn't a solution for the average user.

      There's the ideal, "IT" solution, and the one that includes the human factor. I'm not sure the solution we have is the one that deals with that.

      3 votes
      1. [7]
        Bauke Link Parent
        I'm not sure what other security threats it would open you up to. Maybe elaborate on that? And that doesn't sound like a Tildes problem, but a human problem. If more websites start requiring you...

        I'm not sure what other security threats it would open you up to. Maybe elaborate on that?

        And that doesn't sound like a Tildes problem, but a human problem. If more websites start requiring you to use unique passwords with a mechanism like Tildes and Firefox Monitor, more people will start to become aware to the simplicity and usability that is password managers. More people using password managers -> more unique and better passwords that will be made.

        You can see this same trend happened when websites started requiring X amount of characters, and eventually lower and upper case letters... Then numbers, then symbols, etc. I believe password managers are the solution by straight up removing the human element of passwords, but until then, people need to know and adjust to the fact that some passwords are just plain bad, and sometimes people just need to be forced to use a different one.

        9 votes
        1. [6]
          AlphaOC Link Parent
          In theory people would use password managers, but we shouldn't be talking about security. We should be talking about humans. The users are humans. We may want them to be perfect users but we both...

          In theory people would use password managers, but we shouldn't be talking about security. We should be talking about humans. The users are humans. We may want them to be perfect users but we both know that they are not. We may want to turn them into perfect users and shit on them when they're not. Hopefully, we both know that regardless of how much we do that, we can't fix human nature. Users aren't going to do all the things we want them to and we should plan accordingly.

          That's not to say I disagree with what you think people should and perhaps rightly do. It's just that I don't think that's how actually people will act.

          1 vote
          1. [4]
            Bauke Link Parent
            I'm not expecting everyone to be perfect, as indicated in what I said: Right now is the time where more and more people are starting to become aware of password managers existing, and convincing...

            I'm not expecting everyone to be perfect, as indicated in what I said:

            I believe password managers are the solution by straight up removing the human element of passwords, but until then, people need to know and adjust ...

            Right now is the time where more and more people are starting to become aware of password managers existing, and convincing their social groups to switch because it's more secure, takes only 1 password to remember and depending on which one you pick, works everywhere people expect. It's the same as setting up an alarm system for your house, you do it once and then learn to maintain it.

            And the biggest problem in security will almost always be the human element. So when you're talking about security, you're invariably talking about humans.

            3 votes
            1. [3]
              AlphaOC Link Parent
              Fair, I might not have read your comment as thoroughly as I should have. I think it's obvious people should use password managers more, but unless people are forced they wont. I'll admit, I don't....

              Fair, I might not have read your comment as thoroughly as I should have. I think it's obvious people should use password managers more, but unless people are forced they wont. I'll admit, I don't. I'm lazy. Depression may be a part of that, but i'm not saying that for sympathy, just an answer to why many people who are aware of the problem may not fix it.

              Writing down passwords isn't the worst solution, but it's still not a great one and it's the one the site is forcing us into. I'm not sure there's a better solution, which is the uncertainty written into my original post. The post, at least, has generated some good, civil discussion about the matter.

              2 votes
              1. [2]
                Bauke Link Parent
                There's always reasons not to do something, not to unexcuse any, but people won't change unless they are required to. And using a breached passwords database is a provable-in-layman's-terms and...

                There's always reasons not to do something, not to unexcuse any, but people won't change unless they are required to. And using a breached passwords database is a provable-in-layman's-terms and easily programmable way to do just that.

                But fair enough, I'll leave it for what it is. :) It has been a good topic.

                3 votes
          2. zaarn Link Parent
            You can always write down the passwords in a booklet or notepad. For most people, keeping this notepad at home will be equivalent security to a password manager and you can likely convince them...

            You can always write down the passwords in a booklet or notepad. For most people, keeping this notepad at home will be equivalent security to a password manager and you can likely convince them more easily to do this.

            1 vote
      2. [3]
        Whom (edited ) Link Parent
        I'm not sure how needing a new password when your old one is already compromised is an "IT" solution, functionally it's the same...you remember your password through memory, writing it down, or...

        I'm not sure how needing a new password when your old one is already compromised is an "IT" solution, functionally it's the same...you remember your password through memory, writing it down, or using a password manager, just like you would no matter what. Hell this is light, given how many workplaces and universities require users to change their password regularly even if there's nothing wrong with it and it holds worthless information! This is about as low a cost on usability as I can imagine, compared to forced password rotations and forced 2fa. From an outside, not security-focused or IT perspective, trying to do this is as invalid as setting your password as "1".

        You mention having to write it down as if that's a less secure outcome, which I don't really understand. Most people should probably be doing that anyway. And they certainly can figure that out...my grandparents can do it, and I think that's a good test.

        8 votes
        1. [2]
          AlphaOC Link Parent
          Follow it to its logical conclusion. How many sites does a user view? How many unique passwords? A password manager might mitigate that, but how many users would actually go that route? How many...

          Follow it to its logical conclusion. How many sites does a user view? How many unique passwords? A password manager might mitigate that, but how many users would actually go that route? How many post-it notes do I need to paste to my computer to remember all the unique passwords I should have?

          You may see it as just "the cost of doing business" but that may not be the way the average user sees it. It's "what is" vs "what should be".

          1. Whom (edited ) Link Parent
            I wasn't suggesting anything about unique passwords. That's something you probably should do, but requiring users to use passwords that haven't already been compromised is completely separate from...

            I wasn't suggesting anything about unique passwords. That's something you probably should do, but requiring users to use passwords that haven't already been compromised is completely separate from requiring them to have unique passwords on every site.

            You're arguing that users should be able to make accounts that might as well already be stolen because you don't want to be forced to make a new password. Doesn't that seem a little silly?

            4 votes
      3. gyrozeppeli Link Parent
        If you only ask politely ask/suggest to people, it will get ignored 95% of the time. People need to stop being lazy with their passwords.

        If you only ask politely ask/suggest to people, it will get ignored 95% of the time. People need to stop being lazy with their passwords.

        2 votes
  4. [3]
    cadadr Link
    Meta, but personally I'd fancy a more descriptive title for this one. "Passwords" is way too broad.

    Meta, but personally I'd fancy a more descriptive title for this one. "Passwords" is way too broad.

    10 votes
    1. [2]
      AlphaOC Link Parent
      A matter of perspective. I was only invited a few days ago, had an issue and then made a post. Other members have laid out their own opinion along these lines. My opinion, the site is new enough...

      A matter of perspective. I was only invited a few days ago, had an issue and then made a post. Other members have laid out their own opinion along these lines.

      My opinion, the site is new enough that the title should be self descriptive. What else would I be talking about but this site? Later on, I would agree with you, because that would no longer be the case. Context is king.

      1 vote
      1. Wes Link Parent
        Titles are often read on the frontpage, without the context of the group. I agree with @cadar that it could have been more clear.

        Titles are often read on the frontpage, without the context of the group. I agree with @cadar that it could have been more clear.

  5. [32]
    teaearlgraycold Link
    Why not use a password manager? They're built into your browser (at least on Firefox and Chrome).

    Why not use a password manager? They're built into your browser (at least on Firefox and Chrome).

    5 votes
    1. [8]
      masochist Link Parent
      This is the correct answer. A password manager that's synced in the cloud (one that's NOT LastPass, considering how often they get compromised...) provides all the best practices security folks...

      This is the correct answer. A password manager that's synced in the cloud (one that's NOT LastPass, considering how often they get compromised...) provides all the best practices security folks like me keep telling people about with almost none of the inconvenience.

      3 votes
      1. [5]
        Comment deleted by author
        Link Parent
        1. [2]
          Bauke Link Parent
          No, not necessarily. Some password managers probably do do that, but those aren't ones you should use. To put it simply: you save a domain, username and password, and then the browser extension...

          No, not necessarily. Some password managers probably do do that, but those aren't ones you should use. To put it simply: you save a domain, username and password, and then the browser extension (or other implementation) will just look at your current domain and any you have saved and then offer it to you. This all happens locally.

          Password managers like Bitwarden store it entirely encrypted.

          Your sensitive information is encrypted locally on your personal device before ever being sent to our cloud servers.

          3 votes
          1. [2]
            Comment deleted by author
            Link Parent
            1. esrever Link Parent
              It's done client side. The database stored on an external server can't reveal information about what it contains without decrypting it first, which is done with your master password on your...

              It's done client side. The database stored on an external server can't reveal information about what it contains without decrypting it first, which is done with your master password on your PC/phone/etc.

              2 votes
        2. esrever Link Parent
          You store an encrypted database, locally and optionally through online storage. You can even use a self-hosted solution. The decryption is done client-side and uses browser integration,...

          You store an encrypted database, locally and optionally through online storage. You can even use a self-hosted solution. The decryption is done client-side and uses browser integration, integration with other software by way of a plugin, or provides a list that you manually retrieve the password from to copy+paste. You aren't telling anyone what sites you visit from an encrypted database.

          3 votes
        3. masochist Link Parent
          No. No. Not at all. This is so very much the wrong way to implement a password manager. If the hosting provider for your keychain knows what's in your keychain, they're doing it wrong. They should...

          No. No. Not at all. This is so very much the wrong way to implement a password manager. If the hosting provider for your keychain knows what's in your keychain, they're doing it wrong. They should have no idea what is in your data, only that you're storing your data with them. If anyone can decrypt any of your encrypted data but you, it. is. not. secure.

          2 votes
      2. [3]
        Micycle_the_Bichael Link Parent
        Do you have any suggestions for password managers? I've been using lastpass and just found out thanks to your comment about the hack. I've been feeling slightly negative about them for a bit now...

        Do you have any suggestions for password managers? I've been using lastpass and just found out thanks to your comment about the hack. I've been feeling slightly negative about them for a bit now (a decent number of reported bugs that aren't getting resolved) but this is the kick in the pants I needed to jump ship. My girlfriend works at a pretty security-conscious company and they use 1password. I can't see any instances of them getting compromised but I'm also open to suggestions :)

        1. Bauke Link Parent
          Privacytools.io has some good recommendations: https://www.privacytools.io/#pw Bitwarden especially because you can self-host or they can host for you and it's fully encrypted.

          Privacytools.io has some good recommendations: https://www.privacytools.io/#pw

          Bitwarden especially because you can self-host or they can host for you and it's fully encrypted.

          3 votes
        2. masochist Link Parent
          I stick with the Apple keychain because of my use cases. I don't like the 1password pricing model, but if I was going to recommend something that you want to sync to all of your devices and the...

          I stick with the Apple keychain because of my use cases. I don't like the 1password pricing model, but if I was going to recommend something that you want to sync to all of your devices and the Apple keychain isn't an option, 1password is absolutely my recommendation. They've got some cool integrations with things like Have I Been Pwned which, as a very security-conscious person with sysadmin leanings, I really appreciate.

          2 votes
    2. [8]
      ThatFanficGuy Link Parent
      One shouldn't rely on external software in order to simply access a forum account.

      One shouldn't rely on external software in order to simply access a forum account.

      1 vote
      1. [7]
        teaearlgraycold Link Parent
        This isn't a matter of accessing just one forum. A password manager is meant to solve the problem of managing a hundred passwords to a hundred sites. Tildes is just one of those sites. Of course...

        This isn't a matter of accessing just one forum. A password manager is meant to solve the problem of managing a hundred passwords to a hundred sites. Tildes is just one of those sites.

        Of course if Tildes is very important to you you can remember your password just to this site.

        7 votes
        1. [3]
          AlphaOC Link Parent
          Password managers are above the likes of the average user. At best they allow the browser to save their password. Then what? As I said, usability vs security. What do we gain vs what we lose?

          Password managers are above the likes of the average user. At best they allow the browser to save their password. Then what? As I said, usability vs security. What do we gain vs what we lose?

          1. [2]
            anowlcalledjosh Link Parent
            A random password saved in your browser and synced to Google/Mozilla's cloud is orders of magnitude more secure than a single easily-remembered (⇔ easily-guessed) password you use everywhere. By...

            A random password saved in your browser and synced to Google/Mozilla's cloud is orders of magnitude more secure than a single easily-remembered (⇔ easily-guessed) password you use everywhere. By saving your passwords in your browser, you stop some random script kiddie being able to hack your accounts, at the (tiny, tiny) cost of needing to sign in to your browser to get at your passwords.

            What do you lose by doing this?

            4 votes
            1. AlphaOC Link Parent
              I'm not arguing that there are more convenient ways of managing this nonsense, but those ways may not be apparent to the average user. I made up a password and I honestly mostly forgot it after...

              I'm not arguing that there are more convenient ways of managing this nonsense, but those ways may not be apparent to the average user. I made up a password and I honestly mostly forgot it after having registered it. It's still something I remembered, but I didn't write it down. Firefox normally saves this nonsense for me, but in this case it didn't. I was able to run through all the iterations I thought it could be, and finally found it out.

              Maybe the average user would write it down, but what for anyone else? I'm not trying to be obtuse. I didn't write it down because I thought i'd remember it, and then woops. My grace is that I was able to work it out and if I hadn't, I had at least entered my email before the last time I signed out so I could recover it. I may be dumb, but can you deny that about the average computer user? When designing a system, you need to consider the least intelligent people who will be using it.

              1 vote
        2. [3]
          ThatFanficGuy Link Parent
          It sounded to me that this is the opposite of what you were saying. It sounded like you replied to "Why should I make a strong password?" with "Why not use a password manager?", as if providing a...

          This isn't a matter of accessing just one forum.

          It sounded to me that this is the opposite of what you were saying. It sounded like you replied to "Why should I make a strong password?" with "Why not use a password manager?", as if providing a solution to this particular problem.

          I hope you see how, without elaboration, it might be confusing. Now that you've written out your reasons, it's become clear what point you were making.

          1. teaearlgraycold Link Parent
            Sorry - to make it clear, I thought the dialog was more like "How can I remember all these passwords?" -> "Use a password manager."

            Sorry - to make it clear, I thought the dialog was more like "How can I remember all these passwords?" -> "Use a password manager."

            2 votes
          2. AlphaOC Link Parent
            Sorry, i'm not a trained in debate or philosophy. I try to formulate the most rational arguments I can and try to leave little to no interpretation otherwise. But, obviously, i'm not there yet....

            Sorry, i'm not a trained in debate or philosophy. I try to formulate the most rational arguments I can and try to leave little to no interpretation otherwise. But, obviously, i'm not there yet. This is not a condescending point. Arguing on the internet for years, I try to make myself as clear as I can. That said, it's difficult. Thanks for your understanding.

    3. [15]
      AlphaOC Link Parent
      Honest answer, I use that extensively. However, the password I signed up with wasn't saved automatically and I basically had to burn through a lot of iterations until I arrived at the correct one...

      Honest answer, I use that extensively. However, the password I signed up with wasn't saved automatically and I basically had to burn through a lot of iterations until I arrived at the correct one in order to log in and make this post. I was pretty close to having to use the password retrieval system because I had to use a password I almost never use.

      Again, usability vs security.

      1. [7]
        masochist Link Parent
        This sounds like a bug in your password manager more than anything else.

        the password I signed up with wasn't saved automatically

        This sounds like a bug in your password manager more than anything else.

        3 votes
        1. [6]
          AlphaOC Link Parent
          Yeah, but then what? Is every user expected to use a password manager? What are your expectations of the average user? For me, I look at the lowest common denominator. I would like to envision...

          Yeah, but then what? Is every user expected to use a password manager? What are your expectations of the average user? For me, I look at the lowest common denominator. I would like to envision myself as more than that. That would mean that there are a lot of people who use the system that would have problems at least as much as I have.

          1 vote
          1. [5]
            masochist Link Parent
            Yes. Higher than they should be, I'll be honest.

            Is every user expected to use a password manager?

            Yes.

            What are your expectations of the average user?

            Higher than they should be, I'll be honest.

            2 votes
            1. [4]
              AlphaOC Link Parent
              Well unfortunately, we live in the Eternal September. We have to deal with everyone, not just the people we want to deal with.

              Well unfortunately, we live in the Eternal September. We have to deal with everyone, not just the people we want to deal with.

              2 votes
              1. [3]
                masochist Link Parent
                I'm quite familiar with the Eternal September. That's the name of the Usenet server I use. :) The perspective I take is that education will help as many as we're able to help, and the rest, well,...

                I'm quite familiar with the Eternal September. That's the name of the Usenet server I use. :) The perspective I take is that education will help as many as we're able to help, and the rest, well, it's a bit like vaccination, isn't it?

                1. [2]
                  AlphaOC Link Parent
                  Anyone who recognizes that reference is cool. That said, You may "get" it but i'm not sure you "grok" it. Look at your own comment from the lense a "September" user. You didn't know that I was in...

                  Anyone who recognizes that reference is cool. That said, You may "get" it but i'm not sure you "grok" it. Look at your own comment from the lense a "September" user. You didn't know that I was in the know when you made your comment, you assumed. I understand you, but will other, less 'in the know' users be able to?

                  1 vote
                  1. masochist Link Parent
                    I will absolutely admit to assuming people know the things that I know. That's long been something of a flaw of mine; thank you for pointing it out. I'm not sure if you're referring to the term...

                    I will absolutely admit to assuming people know the things that I know. That's long been something of a flaw of mine; thank you for pointing it out. I'm not sure if you're referring to the term Eternal September, here, or something else, though. Can you clarify? Trying to reduce my assumptions.

                    1 vote
      2. [7]
        teaearlgraycold Link Parent
        Log out and back in and the browser should prompt you to save the password.

        Log out and back in and the browser should prompt you to save the password.

        1. [6]
          AlphaOC Link Parent
          Yes, that's a solution, but a solution I had to look for. What of all the other users who come after me, who don't know to look for such a solution? Do you want to ask new users to logout and back...

          Yes, that's a solution, but a solution I had to look for. What of all the other users who come after me, who don't know to look for such a solution? Do you want to ask new users to logout and back in as part of the new user registration system?

          1 vote
          1. [5]
            teaearlgraycold Link Parent
            I think that's a good point. As a consequence of entering multiple passwords upon registration people won't end up utilizing their browser's built-in features. Making a fix would actually be a...

            I think that's a good point. As a consequence of entering multiple passwords upon registration people won't end up utilizing their browser's built-in features. Making a fix would actually be a good addition to the Tildes feature requests.

            1 vote
            1. [3]
              Deimos (edited ) Link Parent
              The browser will ask if you want to save the password when you successfully register, not when a registration attempt fails (due to a rejected password or any other reason). You don't have to log...

              The browser will ask if you want to save the password when you successfully register, not when a registration attempt fails (due to a rejected password or any other reason). You don't have to log out and back in. It works as-is, the OP just didn't save theirs for some reason (missed seeing the prompt, perhaps).

              1 vote
              1. AlphaOC Link Parent
                I'm using firefox. I thought it would just grab my password and whatnot, but apparently it didn't. So, failure case #1. Edit Notably, I let firefox grab pretty much all my passwords, safe or not....

                I'm using firefox. I thought it would just grab my password and whatnot, but apparently it didn't. So, failure case #1.

                Edit Notably, I let firefox grab pretty much all my passwords, safe or not. I wont lie, i'm more convenience over security, so when convenience fails, I get a bit puzzled.

  6. [2]
    Sahasrahla Link
    A compromised account can hurt all of us. Reddit is full of spam and manipulator accounts and the most valuable (and hardest to spot) ones are sold/compromised accounts with a long history of...

    For my bank, sure, a complex password. I have a lot to lose there. For an account on a glorified message board?

    A compromised account can hurt all of us. Reddit is full of spam and manipulator accounts and the most valuable (and hardest to spot) ones are sold/compromised accounts with a long history of normal activity.

    5 votes
    1. AlphaOC Link Parent
      Are there not other ways to control that? If an account is suddenly accessed from another IP, could that not trigger a flag? I mean there's issues of course, with vpns and the like, but it's not...

      Are there not other ways to control that? If an account is suddenly accessed from another IP, could that not trigger a flag? I mean there's issues of course, with vpns and the like, but it's not like other solutions don't exist. Google shits on me nearly every time I try to access my mail from somewhere new.

      And i'm not trying to deny the serious problem of spam and manipulator accounts. I bleed with you. I'm just not sure if what we have is best. I said in the original post, I may be wrong, but I am willing to be convinced one way or the other.

  7. [4]
    Amarok (edited ) Link
    I believe it's not just checking for passwords. It's checking for email-password pairs instead. This email, combined with that password. Those passwords wouldn't trigger a warning if they were...

    I believe it's not just checking for passwords. It's checking for email-password pairs instead. This email, combined with that password. Those passwords wouldn't trigger a warning if they were associated with other email addresses.

    Nevermind, it's definitely checking just passwords. I'd say you might have a point there.

    1 vote
    1. [3]
      AlphaOC Link Parent
      To subscribe, I was only asked for a handle, not an email address. I had to enter that later (for password recovery purposes). I probably need to revamp my personal passwords from top to down...

      To subscribe, I was only asked for a handle, not an email address. I had to enter that later (for password recovery purposes). I probably need to revamp my personal passwords from top to down anyway, but if that was true i'd definitely need to do so.

      1. [2]
        Amarok Link Parent
        It's been so long since I signed up I don't remember the process (and it may have changed since). I did hit the trigger, though - from an old last.fm breach. That check's been there since launch.

        It's been so long since I signed up I don't remember the process (and it may have changed since). I did hit the trigger, though - from an old last.fm breach. That check's been there since launch.

        1 vote
        1. AlphaOC Link Parent
          Saw your edit, thanks for your honesty <3

          Saw your edit, thanks for your honesty <3

  8. saiyanprideparade Link
    I would kind of like if the password requirements were loosened a bit so long as you had 2 Factor Authentication enabled.

    I would kind of like if the password requirements were loosened a bit so long as you had 2 Factor Authentication enabled.

    1 vote
  9. Hopesedge Link
    I used to use awful passwords, like just my name twice or other random common things, eventually I got to the point where I figured I'd make a solid password and just remember it, I spent 10...

    I used to use awful passwords, like just my name twice or other random common things, eventually I got to the point where I figured I'd make a solid password and just remember it, I spent 10 seconds making up a random word like 'jaffiniers', then I attach a random number onto it, like 18271, I spent a further 10 minutes repeatedly typing it, and got used to typing it by having my frequently used accounts not automatically log in, and not save the password, so I'd have to manually input it, after a few days it was bound to memory, I still use lots of other passwords, but the less I care about the account they're attached too the simpler they'll be.