New Password Requirements and Password Reset

[Graf Zahl]

Very true indeed. Also, since "security" has become so important I am constantly having problems signing into my accounts when I am away from home. The services see I am logging in from an unknown location and then try to contact me via means I cannot access because they ALSO want a 2FA which I cannot access because... So I'm stuck with this insanity that virtually forces me to carry around a smartphone all the time which I don't want to do because I consider smartphones the ultimately insecure devices.

Can someone please end this nonsense?

[eharper256]

All I can say to this is WTF.

20 characters is mental; I use various character names from obscure sci-fi novels I have written in the past and none reach 20 characters. How the heck is anyone meant to remember a phrase that long?!?

I work for the government and only need to use 12 characters including a number and symbol. Password managers are nonsense, I don't wish to use random noise. All this means is that I have to save my password under the notes on my bookmark for the site. -_-'

[Rowsol]

I would've preferred to opt out. If I want my password to be weak, let me.

[Chris]

The most important part of security is availability. If you can't remember the password, it's useless. I recommend BitWarden as a good password manager.

I would avoid online password managers. People looking to get a bunch of passwords to crack will target them as they have many users, so just getting that one database will get passwords for many people and many sites. In fact, there's another site that had a recent deluge of spammers on compromised accounts, where it seems those accounts were using LastPass to store their passwords. That got hacked back in December, so it's open season on all those passwords and accounts. Doesn't matter how secure the password itself may be if it's stored somewhere that is a prime target for hackers.

Having a local password manager would be safer, since it then depends on your machine specifically being compromised (definitely not impossible, but online password managers will be juicier targets than some random person).

[CandiceJoy]

The most important part of security is availability. If you can't remember the password, it's useless. I recommend BitWarden as a good password manager.

I would avoid online password managers. People looking to get a bunch of passwords to crack will target them as they have many users, so just getting that one database will get passwords for many people and many sites. In fact, there's another site that had a recent deluge of spammers on compromised accounts, where it seems those accounts were using LastPass to store their passwords. That got hacked back in December, so it's open season on all those passwords and accounts. Doesn't matter how secure the password itself may be if it's stored somewhere that is a prime target for hackers.

Having a local password manager would be safer, since it then depends on your machine specifically being compromised (definitely not impossible, but online password managers will be juicier targets than some random person).

As long as the password manager uses a decent encryption algorithm and you use a good master password, it doesn’t really matter if they get hacked. Your master password is required to decrypt the data unless they’re using an algorithm so bad that it’s crackable without the master password, in which case you shouldn’t be using them

[Ihavequestions]

Also, since "security" has become so important I am constantly having problems signing into my accounts when I am away from home. The services see I am logging in from an unknown location and then try to contact me via means I cannot access because they ALSO want a 2FA which I cannot access because... So I'm stuck with this insanity that virtually forces me to carry around a smartphone all the time which I don't want to do because I consider smartphones the ultimately insecure devices.

THIS.

The whole 2FA madness is the main reason why I have two smartphones using two different carrier services. It's always good to have a backup, anyway, but due to 2FA, you are completely lost without even if everything works fine otherwise.

[Chris]

As long as the password manager uses a decent encryption algorithm and you use a good master password, it doesn’t really matter if they get hacked. Your master password is required to decrypt the data unless they’re using an algorithm so bad that it’s crackable without the master password, in which case you shouldn’t be using them

I heard you like passwords, so I put passwords in your passwords. Then you use a password to protect your passwords, which itself then needs to be managed like any other password. That just seems to be kicking the can down the road, but worse, since now it's as if you have the same password for everything; once that one master password is hacked, all your other passwords are free for the taking.

[CandiceJoy]

As long as the password manager uses a decent encryption algorithm and you use a good master password, it doesn’t really matter if they get hacked. Your master password is required to decrypt the data unless they’re using an algorithm so bad that it’s crackable without the master password, in which case you shouldn’t be using them

I heard you like passwords, so I put passwords in your passwords. Then you use a password to protect your passwords, which itself then needs to be managed like any other password. That just seems to be kicking the can down the road, but worse, since now it's as if you have the same password for everything; once that one master password is hacked, all your other passwords are free for the taking.

The master password should be something very secure and something you can remember. Yes, the idea is that it takes the place of all your other passwords, effectively, but it should also be a very secure password. If it’s remotely decent, the only way anyone is getting it is through phishing or if you tell them or something like that.

[Graf Zahl]

Ideally for a password storage service it should use different passwords for accessing the account and for encrypting the stored passwords.
But at some point this whole insanity needs to stop - we really need something different to protect our online accounts than short strings of random characters.
Of course, should that ever happen we'd have to entrust even more of our lives to those godforsaken smartphones. Can we please uninvent these things...?

[Caligari87]

Hardware USB keys are a thing. That's literally the only other possible option I can imagine to replace passwords, besides biometrics.

(I'm sure y'all would love biometrics for logging into random internet sites, right?)

[yum13241]

SMS 2FA is the WORST 2FA. Reason? Port out attacks.

Google Authenticator doesn't let you back up your codes. Alternatives exist though.

So 2FA kinda sucks, let alone 3FA.

Just use a passphrase, like "iHaveABrutalDoomAddiction666!" (that isn't a good idea to use since I posted it)

IMO, this insanity needs to calm down.

[Graf Zahl]

I'd opt out of 2FA if I could, but ever more services want to enforce it. So my Google mail account is linked to my Outlook mail account, but I obviously cannot do the reverse so I have to link it to SMS. To add insult to injury, my trusty old smartphone broke down a few weeks ago - and it uses an old large format SIM card which does not fit into modern phones, so I'm shut out of nearly everything because I need 2FA to access stuff but cannot get it changed without authorizing it with the defunct phone. It's a total shitfight.

And I seriously doubt that all this shit is safer than when I had my banking TAN numbers on a sheet of paper. But that one just worked, unlike 'secure' alternatives.

[Blzut3]

Google Authenticator doesn't let you back up your codes. Alternatives exist though.

It does. They call it "transfer accounts" which gives a QR code you to import onto another device. Although it kind of implies it would with the name, they don't do the silly thing and auto delete the accounts from the source device so it's effectively a backup feature.

[AFADoomer]

My browser still tries to auto-fill my original three-character password from 2003... That I think was originally my notgod password, but... Is that bad?

EDIT: Oh God, I'm old.

[Ihavequestions]

Google Authenticator doesn't let you back up your codes. Alternatives exist though.

It does. They call it "transfer accounts" which gives a QR code you to import onto another device. Although it kind of implies it would with the name, they don't do the silly thing and auto delete the accounts from the source device so it's effectively a backup feature.

Good to know. Authenticator is my single biggest point of concern when moving to a new phone.