• DacoTaco@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        9 months ago

        Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email’s inbox )!

        … Its still a shit security design. Better to have username, pass and a security key hehe

        • VeganCheesecake@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          Hmh, I guess, though I feel this is a bit more complicated. What if you can look up the username in the registration mail sent to the inbox? Or it’s a site that uses email addresses as usernames? Is it knowing if said knowledge is inferrable from the thing you have?

          • DacoTaco@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            I think you got it wrong what i meant (?)
            Imagine i register on a website with my username ( DacoTaco ) and email ( someEmail@domain.com ). When i want to reset my password and click the “forgot password” link, it would ask my username, not my email address (something i know) and send me an email ( to someEmail@domain.com ) without reporting what email it sent it too. That way it could be considered a separate identity factor i think (access to the mailbox, something you have ).
            Websites generally dont work this way, i know. But thats how id implement it :')

            • VeganCheesecake@lemmy.blahaj.zone
              link
              fedilink
              arrow-up
              2
              ·
              9 months ago

              Thanks for clarifying. I was mostly trying to apply that scenario to a likely real world one, but there’s definitely cases in which it could be two factor.

      • AndrasKrigare@beehaw.org
        link
        fedilink
        arrow-up
        3
        ·
        9 months ago

        Shit, are we getting to that point where all non-password logins are “2fa” like how all denial of services are “DDoS”

  • r00ty@kbin.life
    link
    fedilink
    arrow-up
    66
    ·
    9 months ago

    It’s all good until you get into a dependency loop with your email account passwords needing resetting, that have the email from the other account that needs resetting :P

  • CileTheSane@lemmy.ca
    link
    fedilink
    arrow-up
    50
    arrow-down
    1
    ·
    9 months ago

    If websites could just remind me on the login in screen what their password requirements are that would help me a LOT.

    So many times I start going through the “forgot my password” steps and then when I see the password requirements are “at least 10 characters long with 2 unique symbols” I remember what it was and can go back and log in.

      • Jyek@sh.itjust.works
        link
        fedilink
        arrow-up
        25
        arrow-down
        1
        ·
        9 months ago

        But don’t use lastpass, they are the most popular, and with the largest breach history. In fact, if you are capable of the admittedly high bar of self hosting, use bit warden instead.

        • CileTheSane@lemmy.ca
          link
          fedilink
          arrow-up
          13
          arrow-down
          1
          ·
          9 months ago

          But don’t use lastpass, they are the most popular, and with the largest breach history.

          This is exactly why I don’t want to use a password manager. Storing all my passwords in one place online doesn’t exactly sound secure.

          • AWildMimicAppears@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            6
            ·
            edit-2
            9 months ago

            I would rather recommend using KeepassXC, and storing and syncing the database with your other devices using Syncthing. Supereasy to set up, and works flawlessly with my pc and my phone.

            KeepassXC has nice features like global autotype btw, so for webpages i can insert my payment information with one hotkey. no need to save your CC in your browser.

          • systemglitch@lemmy.world
            link
            fedilink
            arrow-up
            4
            ·
            9 months ago

            Right? I’m right with you. I keep a password book I can lock up in the safe. No online hacker can get to that.

            • funkless_eck@sh.itjust.works
              link
              fedilink
              arrow-up
              3
              ·
              edit-2
              9 months ago

              I use a pattern relative to the site name, with a different email address for every site also relative to the site name. The pattern means the password is always different but I always know that it is.

          • Toribor@corndog.social
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            9 months ago

            For 99% of people an online password manager like Bitwarden or LastPass is going to significantly help them manage passwords securely despite the risks associated with cloud services. Most people can’t handle self hosting Bitwarden or syncing a Keepass database by themselves. Without an easy to access and easy to use online option people will revert to significantly riskier methods like password reuse or using some sort of repeatable/guessable pattern.

            For the 1% of people who want more security there are options like Vaultwarden or Keepass. Even then it’s not uncommon to make mistakes and lose data/access or leave some sort of vulnerability exposed. The attack surface is a lot smaller than a public service though which is beneficial.

          • KairuByte@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            1Password is an option. It’s all stored in one place, sure. But you need the encryption key and password to access it. No one but you has that key, and if you lose/forget it you lose your passwords forever. Not even the company can recover your passwords from that.

        • vividspecter@lemm.ee
          link
          fedilink
          arrow-up
          5
          ·
          9 months ago

          In fact, if you are capable of the admittedly high bar of self hosting, use bit warden instead.

          Vaultwarden, typically, because it’s fully free and more resource efficient. But bitwarden as the client of course.

      • CileTheSane@lemmy.ca
        link
        fedilink
        arrow-up
        16
        ·
        9 months ago

        Listing those requirements up front would make things way easier for brute force attackers

        They list all those requirements when you try to create an account. If anyone wants to try to brute force they already have that info.

        • LwL@lemmy.world
          link
          fedilink
          arrow-up
          9
          ·
          9 months ago

          Also, online logins should lock you out temporarily after a few failed attempts anyway, making brute force a complete non issue.

          Also also, if you’re going to try to brute force someones pw, you would just look up the requirements beforehand anyway.

        • Jyek@sh.itjust.works
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          If you brute force using single iterations of all possible combinations sure. But people don’t do that. They use fully readable passwords and letter substitutions. This makes dictionary attacks viable. There are a known number of readable words and phonetic combinations that are significantly easier to brute force. And also the vast majority of numbers are also guessable because most numbers are dates. Series of 2 or 4 or 8 numbers to form important dates means there are lots of numbers between 1940-2024. People don’t usually unconditionally random alphanumeric passwords. Therefore peoples passwords will never be fully secure against sufficiently advanced brute force methods.

          • masterofn001@lemmy.ca
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            9 months ago

            I originally included the words “assuming random” to the post. Why I removed it? I guess for dramatic effect. You are correct. Permutations of dictionary words are relatively trivial for a decent program. But, increasing the length and the addition of special characters adds a nontrivial exponential increase in time, wouldn’t it?

      • Duamerthrax@lemmy.world
        link
        fedilink
        arrow-up
        6
        arrow-down
        2
        ·
        9 months ago

        Brute Force attacks haven’t been effective for decades. Not since they implemented delays between attempts and times outs/lock outs for too many failed attempts.

  • edric@lemm.ee
    link
    fedilink
    arrow-up
    47
    ·
    9 months ago

    There was one time I was traveling and had to reset one of my passwords. It sent a verification code via email but my email provider wouldn’t let me login because I was in a different country I’ve never been to before. So it was a train of recovery processes to reser my password on a single account.

    • No_@lemm.ee
      link
      fedilink
      arrow-up
      14
      ·
      9 months ago

      I can smell the Linux crowd rushing to suggest a better method.

    • cmnybo@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      9 months ago

      Run a VPN server at home, any decent router should be able to run one. Then you can be anywhere in the world and every site will still think you are at home.

      • knexcar@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        How would they be able to do that if they were already out of the country? Or is it something that “everyone” should set up?

        • cmnybo@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          That’s something that should be set up before leaving. You wouldn’t be able to do it away from home unless you already had remote access to a computer running at home or if your router had remote access enabled.

        • ForgotAboutDre@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          9 months ago

          They would have to set it up before leaving. Or have someone in the household change their router settings to enable it and share the details with them.

          If you ever look at local WiFi networks in most residential areas you will see 90%+ use the default router supplied by thier isp. Also using the default SSID and password printed on the router. Most wouldn’t even venture into the routers web page to change the settings. So the likelihood someone would configure this is low.

          If you don’t already, change your default WiFi SSID and password. It makes it easier to share with visitors, you can use the same ones when you switch routers (saves reconfiguring all devices). It also removes the possiblity of your ISP leaking the SSID and password to anyone. If it’s been printed, then it isn’t encrypted when stored. Many ISPs have lost lots of customers data in breaches, many of which they resit making public.

  • RGB3x3@lemmy.world
    link
    fedilink
    English
    arrow-up
    39
    ·
    9 months ago

    The big brain move is going to reset your password, getting told you can’t use your current password when you type in a “new” one, then going back to the login screen to log in.

    • CileTheSane@lemmy.ca
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      Big brain move is going to reset your password, seeing what their obscure password requirements are, then remembering your password and going back to the login screen to log in.

      • RGB3x3@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        I really wish sites with those stupid restricted complexity requirements would just say what they are on the login screen.

        “We only allow ‘&#@!()’ because we don’t understand password security, you’re welcome.”

    • 30p87@feddit.de
      link
      fedilink
      arrow-up
      7
      ·
      9 months ago

      My bank has, for being a bank, very very bad character support. Best thing is, I’m basically gonna work for that bank.

        • dan@upvote.au
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          One of the largest banks in Australia (Westpac) used to require passwords to be exactly 6 characters (no more, no less) and they were case insensitive. It also had a fun ‘denial of service’ attack built-in: If you got it wrong three times, it’d lock the account and force you to go to the bank to unlock it, meaning anyone that knew your bank username could lock you out of your account and cause some pretty big headaches. Fun.

          In fact, I’m not sur whether they ever fixed this. Haven’t used their services in a long time.

    • BallsandBayonets@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      9 months ago

      My employer software has us log in with just our password, no username. I don’t know exactly what’s going on in the backend but I know I don’t like it.

    • psycho_driver@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      9 months ago

      The highly regarded password policy of my last employer was one of the many things that pushed me over the edge and made me leave for greener pastures. I had to manage something like 9 different passwords, with the main one having changed to 16 chars min with all of the usual number/symbol/CAP requirements.

  • Xatolos@reddthat.com
    link
    fedilink
    arrow-up
    21
    arrow-down
    1
    ·
    9 months ago

    Forgot to add “Add a comma in your password, so if the all the user logins get leak, it will destroy the CSV file it gets uploaded to”.

  • Omega_Haxors@lemmy.ml
    link
    fedilink
    English
    arrow-up
    19
    arrow-down
    1
    ·
    9 months ago

    Step 1) Activate 2-Factor authentication

    Step 2) Authentication system fucks up

    Step 3) Locked out of your own account

    True story. x2

  • RedWeasel@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    9 months ago

    There is also use a password manager and reset the password everytime because the site blocks them and locks it out.

    • VeganCheesecake@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      29
      arrow-down
      1
      ·
      9 months ago

      I have relatively long Passwords, because why not, and had problems with pages restricting the number of characters you can enter in the login window, but not the registration window. Or restricting password length and cutting your password off, but not telling you about it, so you gotta figure out that they set the first 30 characters of the saved password as your password.

      Always fun to deal with. I could make it a lot easier for me by just using shorter passwords, but I think deep down I’m a masochist.

      • CoggyMcFee@lemmy.world
        link
        fedilink
        arrow-up
        25
        ·
        9 months ago

        The worst version of this I’ve ever seen is a site that enforced a password policy on the “current password” field on the “change password” interface. I had an existing password that violated their policy (either because they changed the policy or a technician created a “temporary” password for me, I forget), and I could not change it to a proper password because my current password would get rejected.

      • marine_mustang@sh.itjust.works
        link
        fedilink
        arrow-up
        4
        ·
        9 months ago

        I have several password manager plugins installed on my browser, along with the built-in password managers in the browser and the OS itself, because I like seeing them all fight over the password field.

      • snooggums@midwest.social
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        9 months ago

        I have relatively long Passwords, because why not

        Typos is why I don’t make mine longer or more complicated.

  • dan@upvote.au
    link
    fedilink
    arrow-up
    12
    ·
    9 months ago

    For any self-hosted services you use, run something like Authentik and configure all the apps to use it for auth via OIDC (OpenID Connect). Makes the experience a lot nicer, instead of every service having its own separate user system.

      • dan@upvote.au
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        I’ve never tried Keycloak so I’m not sure, sorry.

        One feature Authentik has that I don’t think Authelia nor Keycloak support is operating as an LDAP server. With Authelia at least, you have to run a separate LDAP server if you need LDAP. With Authentik, it’s built in.

        • shastaxc@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          I guess I’ll have to do the research myself. Ohh bother. I can tell you that Keycloak can use a postgresql db or ldap but it is not built in. I honestly really dislike LDAP though. It’s an old protocol that has terrible client support and the only real reason to use it imo is if you need to support really high number of users and traffic, like in the millions.

          • dan@upvote.au
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            I don’t like it either, but there’s probably some apps that only support LDAP.

      • moonpiedumplings@programming.dev
        link
        fedilink
        arrow-up
        3
        ·
        9 months ago

        Why? In case authentik goes down, so you can recover data? Or something else?

        I am settting up authentik and other selfhosted services right now and my plan was for authentik to have all the accounts.

  • paysrenttobirds@sh.itjust.works
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    9 months ago

    I like the DocuSign model. Just focus on securing your one account (email) and then make all the others use it as single factor.

    • dan@upvote.au
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      Until you get locked out of your email account and can no longer access anything. This happens all the time with freemail (Gmail, Hotmail, Yahoo, etc) accounts.

      The contents of mails also shouldn’t be considered secure. I like the idea of doing proper SSO through an email provider though - for example, using OIDC (OpenID Connect).