Ask Lemmy
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com.
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
view the rest of the comments
It doesn't even have to be that long. 12-16 characters and it'll be infeasible to brute-force for the foreseeable future. But unless you're talking a high-value target like government, military, or executive suite at a company, no one bothers to brute-force anyway because there's easier ways to gain access.
The biggest issue with password security is reuse and sharing. The most secure password in the world doesn't mean a damn thing if you use the same email/password combination across a hundred different websites, because all it takes is for just one of them to suffer a leak and now your credentials are in a dump with millions of others that can be bought for a song and a dance.
This is why it's imperative to use 2FA for your most important accounts, because it can mean the difference between an attacker getting access and hitting an error page and trying the next poor fucker's credentials instead.
But also, no one wants to try to remember a hundred different unique passwords so it's also a good idea to use a password manager. Chrome and Firefox both have them built-in (note that Firefox stores passwords unencrypted on disk unless you set a master password!), but there's also services like OnePass or Bitwarden that have stronger guarantees.
While being aware that leaking passwords and reusing them is a major risk, I was just asking about the construction of the password as it relates to being attacked directly.
Absolutely. I recommended the notebook approach only because I think people of a certain mindset would be more open to it than a password manager, even if it isn't as elegant of a solution. At the end of the day it still diversifies passwords. I'm vividly picturing my mom throwing a fit any time a doctor or other office wants her to fill out a form on a tablet instead of paper.
Is there something that would perhaps also work on Android? Also, how do you move the passwords from password manager into the fields? My problem with clipboard is that anything can read it. Of course, that means there has to be something to exfiltrate the data, but 1 problem is better than 2.
Most of those password managers are also available on android, and automatically clear the clipboard after 30 seconds.
But that's a bit like plugging a leak when the tanks empty. If they managed to get a tool onto your device to read the clipboard, what else is there to get? They'll almost certainly have a key logger installed as well, if not a full backdoor.
And that's assuming they'll even go through the effort of installing anything and not just using ransomware to brick your device.
The first thing about security is knowing who you're defending against, and you're not defending against targeted attacks by nation states (if you as an individual are, you've already lost). Your main adversary is spray-and-pray "script kiddies", maybe the occasional private actor.
Clearing the clipboard also makes it less likely that you'll accidentally paste your password in a text box somewhere when you meant to tap "Copy" and missed.
I was thinking of Android, and whatever some apps may be doing. They should already be pretty limited in what they can do, so it might be forced to just read the clipboard from time to time and hope you don't notice (android now shows pop-up when something reads clipboard).
Password managers on Android (and frankly all platforms) actually try to avoid using the clipboard. They prefer the auto-fill service, which is intended for applications just like this. Unfortunately this isn't working in all cases, but you can also set your password manager as a keyboard (temporarily), so it can directly input a selected username/password without anyone else seeing it.
Examples where I know this is the case are open source keepass options (Keepass2Android, KeepassDX). But I'd assume bitwarden and the like also work this way.
Keypass has apps which supposedly support autofill (I've never bothered with setting them up because I hate using a phone), but it might go through the clipboard. You can also set it to clear the clipboard so its at least not just sitting there indefinitely.