Security "experts" don't want to hear this: But forcing people to log in more often does, in fact, increase the likelihood that:
- Someone will shouldersurf your password
- People will find shortcuts to make logging in more convenient
- People will chose passwords that are least annoying to them irrespective to how secure it is
- Phishing attacks are more successful
@MichalBryxi oh man yes!
@spinal Now we can wait for the corporate security bingo to chime in
@MichalBryxi the ones forcing you to login so often are the same ones insisting the 8 characters is long enough and that they should be reset every 90 days
@mensrea @MichalBryxi periodic password changes are advised against by NIST.
In case you want to use to stop people doing that NIST SP 800-63B which is the Authentication and Lifecycle Management section of their Digital Identity Guidelines says in 5.1.1.2
“Verifiers SHALL NOT require users to periodically change memorized secrets”.
@aimaz yup. having this fight with the sage 300 vendor at work via HR but so far it's not sticking. it's a very quick way to make people set very bad passwords @MichalBryxi
@aimaz never mind. just spent some time reading sage documentation, password expiry is a hard requirement of the system. but the good news is, as of last year the UI no longer uppercases passwords before submission @MichalBryxi
@MichalBryxi Yeah, I'm well aware of the dangers but there's no way I'm using some super secure password on a device that makes me type it in once an hour
@tomw @MichalBryxi YES. Also, I use a password manager but still run into places where “you can’t paste a password here because that’s not secure”, so now I’ve got to take that wonderful, long, completely random password and type it in by hand s-l-o-w-l-y. Do they want me to use stupid, memorable passwords for their thing? Because that’s how they get me to use stupid, memorable passwords for their thing.
@castillar I recall filling a bug report with a certain large bank when they did this to their app. They released a new version a few days later with a note in the release notes about the password field paste option being reenabled
@mikey Nice! Awesome to see at least some companies listening to common sense. :)
@castillar @tomw @MichalBryxi At least on PC keepass (and its variants like keepassxc) explicitly support typing it in for you to bypass that nonsense.
@MichalBryxi@veganism.social i love to put in short simple passwords that i can type in easily with mobilephones for that.
Meaining mostly alphanumeric (and spaces. but paypal for example disallows spaces in their passwords?)
services that start requiring special characters are such a nuisance that i avoid them if possible.
personally i have sa rather long alphanumeric password with spaces. easy to type and remember. but there are so many weird requirements for some passwords...
@kura @MichalBryxi just FYI the reason some websites don't allow spaces is because a password that is a series of dictionary words separated by spaces is easier for hackers to brute force. "my password" is easier for hackers than "mypassword". Just FYI
@cubeofcheese @kura @MichalBryxi no, it's not, both are more less as (in)secure.
Spaces have a neutral effect on security in this situation. A dictionary attack will try different separators between the words, one of them being a space and another one being an empty string.
What matters for passwords made up of words is:
- the size of word list from which they are chosen
- the number of words
- how randomly they are chosen
@Riokm @cubeofcheese @kura True, true, true. If you know the password is dictionary made, then the spaces will for most practical cases add *2 to the number of possible combinations. AFAIK.
@MichalBryxi@veganism.social @Riokm@tech.lgbt @cubeofcheese@mstdn.social well i most often use 4 spaces, aka 5 words. and depending on the page add some simple special chars. adn stuff. and every webpage has its own password. so it doesnt overlap with other pages. so i take most precautions i should.
few years ago i used a simple 8-10 letters password, and the same for every webpage.
@Riokm @kura @MichalBryxi okay that makes sense. I was going off a security class I took, but I'm no security expert.
@cubeofcheese @kura I wonder what the hard numbers would be though. Even if you have complete dictionary the base you're using is massive.
Merriam-Webster dictionary contains 470k words. So with two words we're at 220,900,000,000 combinations, which is somewhere between full space of 5 and 6 alphanumeric characters (case sensitive).
So yeah minimum number of spaces required would be actually a good idea
@MichalBryxi @rantingsteve Also, in case of my company, it breaks calendar syncing and similar functions, causing me to miss meetings and emails if I don’t forget to manually log in frequently. My phone is already passcode-protected, c’mon.
@mizah @rantingsteve To be fair: That sounds like a bonus to me. Sorry did not see your calendar invite. Reason as usual
@MichalBryxi On the other hand, making people log in not often enough is a good way to have them write down their password because they don't remember it.
Since we moved to device-specific pin codes at work, we use our passwords less than once a week and many colleagues jumped to writing it down on post-it notes to avoid forgetting it. We still have to change it twice a year.
@Whidou After my 2 months long sabbatical earlier this year it took me an hour (because exponential backoff failures) to log back into my computer. Completely avoidable if you would not force me to change it on a periodic note.
@MichalBryxi @Whidou Seems like the better solution there would be a system that locked your account when you went on leave and then just had you reset your password straight off when returning. Most people will probably have the same issue you did, so they might as well start with that assumption. :)
@castillar @Whidou Frankly I was quite panicky at that moment as that would mean being locked out from end-to-end encrypted laptop. I don't think there is a recovery option for that
@MichalBryxi @Whidou Whoops! Yeah, that'd be not-fun in the extreme. If it's a centrally managed device for work, one would hope they've got a reset mechanism, but for personal devices that's a big EEK. :)
@Whidou @MichalBryxi Post-its on the monitor are still easier to secure when you go on vacation—put them in a drawer. It's much easier to get physical security right than digital hygiene.
@MichalBryxi It's a 128-bit session ID, not a piece of fish. It doesn't simply go bad after 24h!
@henryk Love it! Will steal for later!
@MichalBryxi ohh if Windows would allow fido2/U2F things would be pretty nice but everything needs to be a shitshow on windows.
@MichalBryxi its the same logic for those ubikey dongle thingies. I have ADHD, I can’t even remember the new pin for my credit card. Security theatre is a threat to accessibility.
@cytokine_storm @MichalBryxi hi! I also have ADHD! Idk if this will help, but when I need to make a pin and remember it, I make up a 4-letter nickname for somebody and turn it into a pin. So someone named Molly could get nicknamed Mols, and the pin would be 6657. (I don’t actually call them these nicknames, so they don’t have to be good!) it’s way easier for me to remember “oh yeah, my bank pin is Sebastian, Sebi, 7324” than random numbers.
@justpeachy @MichalBryxi not a bad idea actually, I’ve used similar tricks in the past
@MichalBryxi@veganism.social case in point, I have multiple banking apps that don't let you set a local PIN but demand you type in the actual online password to your account every time you use them (and sometimes even when you app switch out of them), with the only option to avoid it being biometrics (which this phone doesn't have). how on earth is this supposed to be usable when I use a password manager and random passwords? all it does is make me use a weak password for my online bank account, which strikes me as a terrible idea...
(a lot of more reasonable apps either a) tie into the Android auth thing properly, letting you use the device PIN or whatever and not just fingerprint specifically - opinions may vary on whether that's a good idea - or b) make you set an app password local to your device, which can then be something I can remember without exposing it to being brute forced over the internet)
@MichalBryxi Reminds me of RuneScape where you cannot register with a password that contains anything but letters and numbers, and only up to like 8 characters. So weird
Don't get me started. In my role at my day job, I onboard new staff in my region ...
@MichalBryxi agreed. So many people don’t get that it’s actually an anti-pattern.
@MichalBryxi years ago the agency I was at had one of those intricate kind of PW change schemes that could only be devised by someone with nothing better to do. Usual sort of force-change every 30 days, can't reuse any of your last 10 passwords, must be at least X long and contain all the following...
First, calls to tech support for password-reset assistance skyrocketed.
Second, those old ladies would just WRITE THEIR CURRENT PW DOWN on a pad or a post-it near their screen.
Yay, security.
@the_turtle No need to call me an old lady
@MichalBryxi I worked at a company where they had a 30day limit and you couldn't use the same password twice.
People would put their passwords on post it's on their monitors. Super secure
@MichalBryxi Michael McIntyre has a good take on this https://www.youtube.com/watch?v=z_HmDP3lKMI
@MichalBryxi Worked at a government contractor years ago where one of our passwords had to be re-entered every few hours.
Also it was limited to 12 characters or less.
@MichalBryxi you can extend this to forcing people to change their password often instead of doing something sensible like encouraging the use of pass phrases, spaces, heck, complete sentences.
Of course this will only work if Single Sign-On is implemented and works as advertised.
Also, Yubikey could fix a lot of this but is prohibitively expensive for some.
@MichalBryxi or use mouse jigglers to avoid automatic locking. (Like me...)
@MichalBryxi once got a phishing email telling me my corporate account was about to expire but I could follow the link to extend it.
The thing is, my account had expired a couple of months prior and it was a pain to reset, so I *almost* clicked that link.
Fortunately something felt off and I decided to check the headers and urls.
@MichalBryxi Yes! There's an app at my workplace that makes us re-log in about every 15 minutes. And we're doing it in public view, so someone could easily see what we're doing.
Just checking I haven't missed any corners of this conversation:
Calling @Chartodon ...
CC: @MichalBryxi
Your chart is ready, and can be found here:
https://www.solipsys.co.uk/Chartodon/111059297894222208.svg
Things may have changed since I started compiling that, and some things may have been inaccessible.
In particular, the very nature of the fediverse means some toots may never have made it to my instance, in which case I can't see them, and can't include them.
The chart will eventually be deleted, so if you'd like to keep it, make sure you download a copy.