1303
submitted 1 year ago by woshang@lemmy.world to c/memes@lemmy.ml
you are viewing a single comment's thread
view the rest of the comments
[-] Holzkohlen@feddit.de 107 points 1 year ago

The only good passwords are those you don't know yourself because they are randomly generated and all stored in your password manager of choice.

[-] PieMePlenty@lemmy.world 60 points 1 year ago

Until some locked down tv/console type device asks me for a password.

[-] zalgotext@sh.itjust.works 59 points 1 year ago

Then you look up the random string of 36 characters once, think "why did I make this one 36 characters" as you painstakingly type it in with a TV remote, then immediately forget it as soon as you're logged in.

[-] Lt_Cdr_Data@discuss.tchncs.de 20 points 1 year ago

Then repeat this process every few months the device decides it needs to ask the password of you again. Not playing this game

[-] Johanno@feddit.de 9 points 1 year ago

Take the TV throw it out of the window.

Buy a minipc and plugin a cheap Monitor via hdmi.

Setup kodi or similar on your minipc and you won't even have ads anymore because you will of course install pihole too.

[-] CurlyMoustache@lemmy.world 3 points 1 year ago

But I need a password to open my windows

[-] ClamDrinker@lemmy.world 3 points 1 year ago

If it's a fairly inconsequential service (no payment/personal info, nothing lost if it gets hacked), you can just generate a far shorter password. Even randomly generated passwords can be remembered eventually if you have to type it enough times, and that's still better than the same one.

If it's not inconsequential, I'd be questioning if my money is well spent on a sadistic service that makes my life hell trying to have a minimum level of security. I would say that even if it wasn't a generated password that you have to type over.

[-] Viking_Hippie@lemmy.world 7 points 1 year ago

Ugh, I hate typing with the remote so fucking much! It's worse than having a mild case of covid-19.

[-] Damage@slrpnk.net 7 points 1 year ago

I have a keyboard connected to my TV and some apps still refuse to accept its input, forcing me to use the stupid remote keyboard

[-] TwinTusks@outpost.zeuslink.net 2 points 1 year ago

There must be a better way (bluetooth keyboard maybe?)

[-] Wogi@lemmy.world 3 points 1 year ago

Device recognition instead of passwords, using your phone. A number of apps already do this and logging in is painless even with a shitty old remote.

[-] Empricorn@feddit.nl 1 points 1 year ago

That sounds... even less secure, but admittedly I know nothing about it. How does it work? MAC address? Device type? OS? I think all of those can be spoofed...

[-] deeznutz@lemmy.dbzer0.com 2 points 1 year ago

Diceware words.

[-] SpezCanLigmaBalls@lemmy.world 1 points 1 year ago

Can't forget it if you don't even remember it when youre typing it in

[-] giffybiss@lemmygrad.ml 1 points 1 year ago

If you have a tv remote app, you can paste the password in (source: experience)

[-] PieMePlenty@lemmy.world 1 points 1 year ago

Not write it down on a post it and recycle it with the rest of paper products only for the gmen to go through your thrash and find it?

[-] vsis@feddit.cl 11 points 1 year ago

I use an off-line libre password manager for several bad designed goverment stuff that only accept numbers as passwords or don't allow to paste it.

It's not that hard and I easily get used to it. I read it, type it and forget it again.

[-] cryptix@discuss.tchncs.de 6 points 1 year ago

Oh god I hate those sites that doesn't allow paste option.

[-] kokofruits_1@lemmy.world 13 points 1 year ago

There's a firefox extension "Don't fuck with paste", maybe you should check it out!

[-] deeznutz@lemmy.dbzer0.com 4 points 1 year ago

about:config dom.event.clipboardevents.enabled Set it to false

[-] kokofruits_1@lemmy.world 3 points 1 year ago

It's so cool how much in firefox can be done in just about:config, one of the best features in firefox

[-] Hexarei@programming.dev 3 points 1 year ago

I like KeepassXC's auto-type option; No pasting needed when it can just pretend it's a keyboard and type for you!

[-] hemko@lemmy.dbzer0.com 1 points 1 year ago

Yeah this is just crazy good. I'm even using it for non-password use cases like copying scripts to virtual machines I can't copypaste to.

[-] Fermion@feddit.nl 3 points 1 year ago

Some password managers support generating random passphrases like "correctbatteryhorsestaple." They're still a pain to punch in on a remote, but much easier to keep track of where you are in the password and avoid transcription errors.

[-] kratoz29@lemm.ee 3 points 1 year ago

I hate this shit so much, even when I can do semi okay because I use a Shield TV the logins are still a pain in the ass.

[-] stebo02@lemmy.dbzer0.com 37 points 1 year ago

it's all fun and games until you don't have access to your password manager

[-] clb92@feddit.dk 6 points 1 year ago

Well that's on you then.

1. Keep encrypted backups of your password database, so that you can migrate to something else if you need to.

B. Make sure to have your password database synced to your phone or accessible in some other way when you're out and about.

III. If purely offline and local password manager with no syncing, have a way for a trusted person to be able to access it, if you need them to.

• Lastly, attempt to not suffer memory loss and forget your main credentials to the password manager.

[-] tilcica@lemm.ee 15 points 1 year ago

depends on the password manager....

also, the length of the password is WAY more important than it being randomly generated as long as it's not in a password dictionary somewhere. I use 20+ character passphrases that i can easily remember everywhere for instance

[-] MrVilliam@lemmy.world 9 points 1 year ago

My strategy is to have a persistent short passphrase that's within every password I use, and pair it with a silly bastardization of the service I have an account for. So, for example, if my passphrase were hunter2 (lol) and I had an account on Netflix, my password for Netflix might be something like hunter2NutFlex. Because of this, I can manage my own passwords in basic text as "code NutFlex" because the "code" portion is encrypted in my own fucking brain. If Netflix gets hacked, somebody has a password that only works with Netflix, and they'd need my text file as a Rosetta Stone to acquire my other passwords. Not impossible, but who the fuck am I and why would anybody dig that deep to do that to me?

I'm no IT expert, so somebody tell me if this is a stupid and overly vulnerable strategy. I thought I was pretty brilliant for coming up with this and rolling it out several years ago.

[-] tilcica@lemm.ee 7 points 1 year ago

i am an IT person (wouldnt say expert) and i do this. password cracking time is based on the number of characters, not the type of char so you can do "abcdefghijk" and it will be more secure than "_a;" (both are still weak but my point stands)

all of this can be broken if you just use common passwords or plain english words since those are broken with dictionary attacks

[-] Paradoxvoid@aussie.zone 3 points 1 year ago* (last edited 1 year ago)

It's not the worst strategy (and is actually referred to as 'peppering' your password)... but if your primary use-case is websites and mobile apps, using a password manager like Bitwarden and randomly generated strong passwords is still a better strategy (and probably faster too, since you don't need to type it out manually anymore, and/or remember which flex you used when creating your 'peppered' password).

This is a good approach if you have to login to services that aren't via a web browser though - e.g. Remote desktops etc.

[-] drathvedro@lemm.ee 1 points 1 year ago* (last edited 11 months ago)

I'd say the approach is potentially vulnerable, but the tech isn't quite there. The modern approach to password cracking is to take a huge dictionary, and run permutations on it, like change a's to @'s, capitalizing first letters or adding numbers in the end. Any cracker worth their salt will have something like "add _netflix" as a permutation, too. I don't think that anyone would have "NutFlex" in there, yet, but it's possible if one of them stumbles on your leaked password from somewhere else.

As for "basic text", do you mean like .txt's? And do you store the entire password there? We do have viruses that scan for crypto wallets and it's seed phrases already. It's not too far fetched to imagine one that would cross-match any txt's contents in the system with browser's saved logins.

The most glaring issue I see is that the bastardization is effectively part of your password. With 1000+ passwords it's going to be easy to forget (was it nutflix, sneedtflex, nyetflex or something?) and it's going to be hard to find it if you don't manage the codes properly. I recently had to scan over every single of my password manager entries (forgot a 100% random login, password and domain), and let me tell ya, It wasn't fun.

You could possibly switch to a "client-side salting" approach, having a strong consistent password in you head, and storing a short but truly random suffixes for each service. e.g. text file named "Netflix" containing something like "T3M#f" and the final password would be something like "hunter2T3M#f". At least that's what responsible sites do to protect people who have simple/matching passwords. You could even store those suffixes somewhere semi-openly, like in a messenger as messages to yourself. But at that point, it's probably easier to go with a password manager. Though that's an option if you don't trust those.

[-] MrVilliam@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

You could possibly switch to a "client-side salting" approach, having a strong consistent password in you head, and storing a short but truly random suffixes for each service. e.g. text file named "Netflix" containing something like "T3M#f" and the final password would be something like "hunter2T3M#f".

I guess I'm not understanding how this is functionally different from what I already am doing. Why would your 12 character solution be more secure than my 14 character example? Is it just because NutFlex is two actual words, so a dictionary attack could crack that more easily? Or is it because it's kinda close to the domain the account is associated with? Would I be significantly better off replacing those bastardizations with other random words?

Edit: and also, they're saved as notes in my phone, and no I don't type the whole password in. That would defeat the purpose of having a persistent master phrase as part of the password.

[-] drathvedro@lemm.ee 2 points 1 year ago

they’re saved as notes in my phone, and no I don’t type the whole password in

Then I must have misunderstood your approach. Is it like a single note with all the keywords only, then?

I guess I’m not understanding how this is functionally different from what I already am doing. Why would your 12 character solution be more secure than my 14 character example

Yeah, it's because it's close to the associated domain. The way I see it, this bastardization adds little entropy (there's only so much possible variations) but also rather easy to forget. And a huge problem, in my opinion, is it's using your mental capacity for per-site suffixes rather than master password.

A possible attack I see, is if I set up a site, say a forum called MyLittlePony.su with no password protection whatsoever, and lure you to register on it. If I scroll through the accounts and notice your password to be "hunter2MyLittlePenis", I might go to paypal and give it a shot with "hunter2PenisPal". Or, somebody whom I sold the database to, might. It's extremely rare that anyone would even look at your password specifically unless you are some kind of celebrity, but it's still a possibility. Maybe some future AI tech would be able to crack your strategy (I've tried, ChatGPT told me to fuck right off and FreedomGPT is not good enough yet)

Though you've said you also keep notes, which deals with the easy-to-forget part of the problem, so my first thought was to get rid of bastardization and add fuck-all amount of entropy by using a truly random suffix. That'd deal with the above problem. But, that'd mean that it's your master password that is the suffix now, and you wouldn't be able to access sites without the notes at all, hence it'd be easier to go with password manager at that point.

[-] woshang@lemmy.world 1 points 1 year ago

Backup recovery phrase is a good way 2

Except you DO know the password to your password manager, which makes it about as secure as just writing them down and keeping them in the house.

this post was submitted on 27 Oct 2023
1303 points (98.0% liked)

Memes

45657 readers
1324 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS