World Password Day Must Die

[NewTricks]

From our very own blog: World Password Day Must Die

The existence of World Password Day is a symptom of two problems.

The first is that password authentication is a terrible design. Its success hinges on humans being good at something humans are really bad at: Creating and remembering long strings of random characters.

The second problem is that for too long we made passwords a problem for users to solve instead a problem for IT or security.

Read in its entirety.

[AdvancedSetup]

Quote

Forcing people to create passwords to a formula, insisting on at least one uppercase letter, at least one special character etc, is out. And so are periodic password resets. Both are far more effective at annoying users than they are at improving security.

Pet peeve I've complained about for probably twenty years now.

National Institute of Standards and Technology - NIST made recommendations years ago saying this practice should be stopped, but to this day most IT Departments still force users to change their password on a fixed amount of days cycle such as every 90, 180 days.

 

[AdvancedSetup]

The one and only password tip you need

https://www.malwarebytes.com/blog/news/2023/05/the-one-and-only-password-tip-you-need

 

[NewTricks]

 

7 minutes ago, AdvancedSetup said:

The one and only password tip you need

If you have a choice, the best form of 2FA is a password and hardware key, but you’ll need to buy a hardware key. They are worth the small investment and not nearly as intimidating as they can seem. 

And from Mark's post today:

Many users simply don't trust password managers, and unless you've sat with somebody using one for the first time, you may not appreciate how difficult it can be for people to make sense of them. (Tried and failed the first time-but gearing up for another round)

 

 

[David H. Lipman]

17 minutes ago, AdvancedSetup said:

force users to change their password on a fixed amount of days cycle such as every 90, 180 days.

Been there, done that only at 45 days.

[AdvancedSetup]

Yes, for some people I can see they might not be quite as straight forward to use, but once you do get used to them it's difficult to do without them.

I've been using Keepass probably since about one or two years after they created it. Not for everyone, but I think it's fantastic

https://keepass.info/

https://en.wikipedia.org/wiki/KeePass

 

[NewTricks]

3 minutes ago, AdvancedSetup said:

I've been using Keepass

That emerged as my first choice a couple weeks ago.

[AdvancedSetup]

Bitwarden Free version may be more useful for some as it also has mobile and other sharing options that some may want

https://bitwarden.com/download/

 

[NewTricks]

Just curious, bitwarden allows and recommends syncing of all devices. This would be the only time that syncing is desirable, correct? Versus syncing bookmarks etc across devices.

[AdvancedSetup]

I don't sync anything to any other device but that is me being strict and not trusting the process. I'm at home 99.9% of the time and have no need to share or sync but many others do have those type of needs.

The actual database for your password manager is the only thing synced with them.

 

Edited May 4 by AdvancedSetup
Updated information