New Password Requirements and Password Reset
Moderator: GZDoom Developers
-
- Lead GZDoom+Raze Developer
- Posts: 49184
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: New Password Requirements and Password Reset
Very true indeed. Also, since "security" has become so important I am constantly having problems signing into my accounts when I am away from home. The services see I am logging in from an unknown location and then try to contact me via means I cannot access because they ALSO want a 2FA which I cannot access because... So I'm stuck with this insanity that virtually forces me to carry around a smartphone all the time which I don't want to do because I consider smartphones the ultimately insecure devices.
Can someone please end this nonsense?
Can someone please end this nonsense?
-
- Posts: 1060
- Joined: Sun Feb 25, 2018 2:30 am
- Location: UK
Re: New Password Requirements and Password Reset
All I can say to this is WTF.
20 characters is mental; I use various character names from obscure sci-fi novels I have written in the past and none reach 20 characters. How the heck is anyone meant to remember a phrase that long?!?
I work for the government and only need to use 12 characters including a number and symbol. Password managers are nonsense, I don't wish to use random noise. All this means is that I have to save my password under the notes on my bookmark for the site. -_-'
20 characters is mental; I use various character names from obscure sci-fi novels I have written in the past and none reach 20 characters. How the heck is anyone meant to remember a phrase that long?!?
I work for the government and only need to use 12 characters including a number and symbol. Password managers are nonsense, I don't wish to use random noise. All this means is that I have to save my password under the notes on my bookmark for the site. -_-'
-
- Posts: 982
- Joined: Wed Mar 06, 2013 5:31 am
Re: New Password Requirements and Password Reset
I would've preferred to opt out. If I want my password to be weak, let me.
-
- Posts: 2954
- Joined: Thu Jul 17, 2003 12:07 am
- Graphics Processor: ATI/AMD with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
I would avoid online password managers. People looking to get a bunch of passwords to crack will target them as they have many users, so just getting that one database will get passwords for many people and many sites. In fact, there's another site that had a recent deluge of spammers on compromised accounts, where it seems those accounts were using LastPass to store their passwords. That got hacked back in December, so it's open season on all those passwords and accounts. Doesn't matter how secure the password itself may be if it's stored somewhere that is a prime target for hackers.
Having a local password manager would be safer, since it then depends on your machine specifically being compromised (definitely not impossible, but online password managers will be juicier targets than some random person).
-
- Posts: 95
- Joined: Thu Jul 13, 2017 3:04 pm
- Preferred Pronouns: She/Her
- Operating System Version (Optional): Win11, MacOS Ventura
- Graphics Processor: Apple M1
Re: New Password Requirements and Password Reset
As long as the password manager uses a decent encryption algorithm and you use a good master password, it doesn’t really matter if they get hacked. Your master password is required to decrypt the data unless they’re using an algorithm so bad that it’s crackable without the master password, in which case you shouldn’t be using themChris wrote: ↑Wed Jan 18, 2023 1:45 pmI would avoid online password managers. People looking to get a bunch of passwords to crack will target them as they have many users, so just getting that one database will get passwords for many people and many sites. In fact, there's another site that had a recent deluge of spammers on compromised accounts, where it seems those accounts were using LastPass to store their passwords. That got hacked back in December, so it's open season on all those passwords and accounts. Doesn't matter how secure the password itself may be if it's stored somewhere that is a prime target for hackers.
Having a local password manager would be safer, since it then depends on your machine specifically being compromised (definitely not impossible, but online password managers will be juicier targets than some random person).
-
- Posts: 168
- Joined: Mon Jul 12, 2021 1:45 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
THIS.Graf Zahl wrote: ↑Wed Jan 18, 2023 12:49 pmAlso, since "security" has become so important I am constantly having problems signing into my accounts when I am away from home. The services see I am logging in from an unknown location and then try to contact me via means I cannot access because they ALSO want a 2FA which I cannot access because... So I'm stuck with this insanity that virtually forces me to carry around a smartphone all the time which I don't want to do because I consider smartphones the ultimately insecure devices.
The whole 2FA madness is the main reason why I have two smartphones using two different carrier services. It's always good to have a backup, anyway, but due to 2FA, you are completely lost without even if everything works fine otherwise.
-
- Posts: 2954
- Joined: Thu Jul 17, 2003 12:07 am
- Graphics Processor: ATI/AMD with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
I heard you like passwords, so I put passwords in your passwords. Then you use a password to protect your passwords, which itself then needs to be managed like any other password. That just seems to be kicking the can down the road, but worse, since now it's as if you have the same password for everything; once that one master password is hacked, all your other passwords are free for the taking.CandiceJoy wrote: ↑Wed Jan 18, 2023 1:50 pm As long as the password manager uses a decent encryption algorithm and you use a good master password, it doesn’t really matter if they get hacked. Your master password is required to decrypt the data unless they’re using an algorithm so bad that it’s crackable without the master password, in which case you shouldn’t be using them
-
- Posts: 95
- Joined: Thu Jul 13, 2017 3:04 pm
- Preferred Pronouns: She/Her
- Operating System Version (Optional): Win11, MacOS Ventura
- Graphics Processor: Apple M1
Re: New Password Requirements and Password Reset
The master password should be something very secure and something you can remember. Yes, the idea is that it takes the place of all your other passwords, effectively, but it should also be a very secure password. If it’s remotely decent, the only way anyone is getting it is through phishing or if you tell them or something like that.Chris wrote: ↑Wed Jan 18, 2023 1:58 pmI heard you like passwords, so I put passwords in your passwords. Then you use a password to protect your passwords, which itself then needs to be managed like any other password. That just seems to be kicking the can down the road, but worse, since now it's as if you have the same password for everything; once that one master password is hacked, all your other passwords are free for the taking.CandiceJoy wrote: ↑Wed Jan 18, 2023 1:50 pm As long as the password manager uses a decent encryption algorithm and you use a good master password, it doesn’t really matter if they get hacked. Your master password is required to decrypt the data unless they’re using an algorithm so bad that it’s crackable without the master password, in which case you shouldn’t be using them
-
- Lead GZDoom+Raze Developer
- Posts: 49184
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: New Password Requirements and Password Reset
Ideally for a password storage service it should use different passwords for accessing the account and for encrypting the stored passwords.
But at some point this whole insanity needs to stop - we really need something different to protect our online accounts than short strings of random characters.
Of course, should that ever happen we'd have to entrust even more of our lives to those godforsaken smartphones. Can we please uninvent these things...?
But at some point this whole insanity needs to stop - we really need something different to protect our online accounts than short strings of random characters.
Of course, should that ever happen we'd have to entrust even more of our lives to those godforsaken smartphones. Can we please uninvent these things...?
-
- Admin
- Posts: 6191
- Joined: Thu Feb 26, 2004 3:02 pm
- Preferred Pronouns: He/Him
Re: New Password Requirements and Password Reset
Hardware USB keys are a thing. That's literally the only other possible option I can imagine to replace passwords, besides biometrics.
(I'm sure y'all would love biometrics for logging into random internet sites, right?)
(I'm sure y'all would love biometrics for logging into random internet sites, right?)
-
- Posts: 853
- Joined: Mon May 10, 2021 8:08 pm
- Preferred Pronouns: He/Him
- Operating System Version (Optional): EndeavorOS (basically Arch)
- Graphics Processor: Intel with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
SMS 2FA is the WORST 2FA. Reason? Port out attacks.
Google Authenticator doesn't let you back up your codes. Alternatives exist though.
So 2FA kinda sucks, let alone 3FA.
Just use a passphrase, like "iHaveABrutalDoomAddiction666!" (that isn't a good idea to use since I posted it)
IMO, this insanity needs to calm down.
Google Authenticator doesn't let you back up your codes. Alternatives exist though.
So 2FA kinda sucks, let alone 3FA.
Just use a passphrase, like "iHaveABrutalDoomAddiction666!" (that isn't a good idea to use since I posted it)
IMO, this insanity needs to calm down.
-
- Lead GZDoom+Raze Developer
- Posts: 49184
- Joined: Sat Jul 19, 2003 10:19 am
- Location: Germany
Re: New Password Requirements and Password Reset
I'd opt out of 2FA if I could, but ever more services want to enforce it. So my Google mail account is linked to my Outlook mail account, but I obviously cannot do the reverse so I have to link it to SMS. To add insult to injury, my trusty old smartphone broke down a few weeks ago - and it uses an old large format SIM card which does not fit into modern phones, so I'm shut out of nearly everything because I need 2FA to access stuff but cannot get it changed without authorizing it with the defunct phone. It's a total shitfight.
And I seriously doubt that all this shit is safer than when I had my banking TAN numbers on a sheet of paper. But that one just worked, unlike 'secure' alternatives.
And I seriously doubt that all this shit is safer than when I had my banking TAN numbers on a sheet of paper. But that one just worked, unlike 'secure' alternatives.
-
-
- Posts: 3178
- Joined: Wed Nov 24, 2004 12:59 pm
- Graphics Processor: ATI/AMD with Vulkan/Metal Support
Re: New Password Requirements and Password Reset
It does. They call it "transfer accounts" which gives a QR code you to import onto another device. Although it kind of implies it would with the name, they don't do the silly thing and auto delete the accounts from the source device so it's effectively a backup feature.
-
- Posts: 1337
- Joined: Tue Jul 15, 2003 4:18 pm
Re: New Password Requirements and Password Reset
My browser still tries to auto-fill my original three-character password from 2003... That I think was originally my notgod password, but... Is that bad?
EDIT: Oh God, I'm old.
EDIT: Oh God, I'm old.
-
- Posts: 168
- Joined: Mon Jul 12, 2021 1:45 pm
- Graphics Processor: nVidia with Vulkan support
Re: New Password Requirements and Password Reset
Good to know. Authenticator is my single biggest point of concern when moving to a new phone.Blzut3 wrote: ↑Wed Jan 18, 2023 5:04 pmIt does. They call it "transfer accounts" which gives a QR code you to import onto another device. Although it kind of implies it would with the name, they don't do the silly thing and auto delete the accounts from the source device so it's effectively a backup feature.