The big brain move is going to reset your password, getting told you can’t use your current password when you type in a “new” one, then going back to the login screen to log in.
Big brain move is going to reset your password, seeing what their obscure password requirements are, then remembering your password and going back to the login screen to log in.
For any self-hosted services you use, run something like Authentik and configure all the apps to use it for auth via OIDC (OpenID Connect). Makes the experience a lot nicer, instead of every service having its own separate user system.
One feature Authentik has that I don’t think Authelia nor Keycloak support is operating as an LDAP server. With Authelia at least, you have to run a separate LDAP server if you need LDAP. With Authentik, it’s built in.
I guess I’ll have to do the research myself. Ohh bother. I can tell you that Keycloak can use a postgresql db or ldap but it is not built in. I honestly really dislike LDAP though. It’s an old protocol that has terrible client support and the only real reason to use it imo is if you need to support really high number of users and traffic, like in the millions.
It’s all good until you get into a dependency loop with your email account passwords needing resetting, that have the email from the other account that needs resetting :P
Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email’s inbox )!
… Its still a shit security design. Better to have username, pass and a security key hehe
Hmh, I guess, though I feel this is a bit more complicated. What if you can look up the username in the registration mail sent to the inbox? Or it’s a site that uses email addresses as usernames? Is it knowing if said knowledge is inferrable from the thing you have?
I think you got it wrong what i meant (?)
Imagine i register on a website with my username ( DacoTaco ) and email ( someEmail@domain.com ). When i want to reset my password and click the “forgot password” link, it would ask my username, not my email address (something i know) and send me an email ( to someEmail@domain.com ) without reporting what email it sent it too. That way it could be considered a separate identity factor i think (access to the mailbox, something you have ).
Websites generally dont work this way, i know. But thats how id implement it :')
Thanks for clarifying. I was mostly trying to apply that scenario to a likely real world one, but there’s definitely cases in which it could be two factor.
It won’t destroy the .csv file, but your (below standard) client might have issues reading it. That woman from The Office knows those are not the same thing.
My employer software has us log in with just our password, no username. I don’t know exactly what’s going on in the backend but I know I don’t like it.
The highly regarded password policy of my last employer was one of the many things that pushed me over the edge and made me leave for greener pastures. I had to manage something like 9 different passwords, with the main one having changed to 16 chars min with all of the usual number/symbol/CAP requirements.
One of the largest banks in Australia (Westpac) used to require passwords to be exactly 6 characters (no more, no less) and they were case insensitive. It also had a fun ‘denial of service’ attack built-in: If you got it wrong three times, it’d lock the account and force you to go to the bank to unlock it, meaning anyone that knew your bank username could lock you out of your account and cause some pretty big headaches. Fun.
In fact, I’m not sur whether they ever fixed this. Haven’t used their services in a long time.
Until you get locked out of your email account and can no longer access anything. This happens all the time with freemail (Gmail, Hotmail, Yahoo, etc) accounts.
The contents of mails also shouldn’t be considered secure. I like the idea of doing proper SSO through an email provider though - for example, using OIDC (OpenID Connect).
I have relatively long Passwords, because why not, and had problems with pages restricting the number of characters you can enter in the login window, but not the registration window. Or restricting password length and cutting your password off, but not telling you about it, so you gotta figure out that they set the first 30 characters of the saved password as your password.
Always fun to deal with. I could make it a lot easier for me by just using shorter passwords, but I think deep down I’m a masochist.
The worst version of this I’ve ever seen is a site that enforced a password policy on the “current password” field on the “change password” interface. I had an existing password that violated their policy (either because they changed the policy or a technician created a “temporary” password for me, I forget), and I could not change it to a proper password because my current password would get rejected.
I have several password manager plugins installed on my browser, along with the built-in password managers in the browser and the OS itself, because I like seeing them all fight over the password field.
Bitwarden inserts them automatically, and if I ever have to do it manually for some reason, it just doubles the fun. Hasn’t happened to me yet, though.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !programmerhumor@lemmy.ml
Post funny things about programming here! (Or just rant about your favourite programming language.)
Rules:
Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.
The big brain move is going to reset your password, getting told you can’t use your current password when you type in a “new” one, then going back to the login screen to log in.
Big brain move is going to reset your password, seeing what their obscure password requirements are, then remembering your password and going back to the login screen to log in.
I really wish sites with those stupid restricted complexity requirements would just say what they are on the login screen.
“We only allow ‘&#@!()’ because we don’t understand password security, you’re welcome.”
And have the password still not work.
Step 1) Activate 2-Factor authentication
Step 2) Authentication system fucks up
Step 3) Locked out of your own account
True story. x2
For any self-hosted services you use, run something like Authentik and configure all the apps to use it for auth via OIDC (OpenID Connect). Makes the experience a lot nicer, instead of every service having its own separate user system.
You still want a local account though. Learnt that the hard way.
Why? In case authentik goes down, so you can recover data? Or something else?
I am settting up authentik and other selfhosted services right now and my plan was for authentik to have all the accounts.
I use Keycloak at work. How does Authentik compare?
I’ve never tried Keycloak so I’m not sure, sorry.
One feature Authentik has that I don’t think Authelia nor Keycloak support is operating as an LDAP server. With Authelia at least, you have to run a separate LDAP server if you need LDAP. With Authentik, it’s built in.
I guess I’ll have to do the research myself. Ohh bother. I can tell you that Keycloak can use a postgresql db or ldap but it is not built in. I honestly really dislike LDAP though. It’s an old protocol that has terrible client support and the only real reason to use it imo is if you need to support really high number of users and traffic, like in the millions.
I don’t like it either, but there’s probably some apps that only support LDAP.
Whenever I feel that my passwords are insecure, I offer them a few encouraging words.
This comment has big ‘i did a thing’ energy. Alex, is that you?
Hey, unrelated question, what’s the mother’s maiden name of your password?
If I told you, then my password would be insecure. You see, that’s a sensitive case for them.
Ah yes, they’ll never obtain my password if not even I know it.
It’s all good until you get into a dependency loop with your email account passwords needing resetting, that have the email from the other account that needs resetting :P
That’s easy, just create new accounts every time you login.
And everything is done in Tails.
Can’t one open multiple tabs open at once?
If you think about it the last option is a way to use login via 2fa
Nah it’s just SFA with extra steps.
Magic link login with extra steps
This is more correct
But you only need one factor, access to your inbox?
Shit, are we getting to that point where all non-password logins are “2fa” like how all denial of services are “DDoS”
So it’s more like SSO authentication
SSO without 2FA
Unless your email has 2fa?
Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email’s inbox )!
… Its still a shit security design. Better to have username, pass and a security key hehe
Hmh, I guess, though I feel this is a bit more complicated. What if you can look up the username in the registration mail sent to the inbox? Or it’s a site that uses email addresses as usernames? Is it knowing if said knowledge is inferrable from the thing you have?
I think you got it wrong what i meant (?)
Imagine i register on a website with my username ( DacoTaco ) and email ( someEmail@domain.com ). When i want to reset my password and click the “forgot password” link, it would ask my username, not my email address (something i know) and send me an email ( to someEmail@domain.com ) without reporting what email it sent it too. That way it could be considered a separate identity factor i think (access to the mailbox, something you have ).
Websites generally dont work this way, i know. But thats how id implement it :')
Thanks for clarifying. I was mostly trying to apply that scenario to a likely real world one, but there’s definitely cases in which it could be two factor.
Sign a random string with your private key to be verified by a public key on server.
You’re describing Passkeys/WebAuthN
Can you send the link for it? I was unaware of this.
https://www.smashingmagazine.com/2023/10/passkeys-explainer-future-password-less-authentication/
Just need a password to sign now. 🥲
Use passkeys
One of each please.
deleted by creator
Forgot to add “Add a comma in your password, so if the all the user logins get leak, it will destroy the CSV file it gets uploaded to”.
Add a drop table statement to it while you’re at it
It won’t destroy the .csv file, but your (below standard) client might have issues reading it. That woman from The Office knows those are not the same thing.
We have the worst password policy I’ve ever dealt with at my current employer.
My employer software has us log in with just our password, no username. I don’t know exactly what’s going on in the backend but I know I don’t like it.
The highly regarded password policy of my last employer was one of the many things that pushed me over the edge and made me leave for greener pastures. I had to manage something like 9 different passwords, with the main one having changed to 16 chars min with all of the usual number/symbol/CAP requirements.
Create a new account every time?
Change password every day, and the required password length and complexity increases each time you change your password.
Password game irl
Are you sure you’re not working for a scam call center?
(Piped)
Bitwarden has a password generator that you can set criteria for, been really helpful with one of my janky logins
My bank has, for being a bank, very very bad character support. Best thing is, I’m basically gonna work for that bank.
For years my bank only allowed numerical passwords. The maximum length was 8.
They changed it somewhat recently.
me when my bank is less secure than a fucking door lock
One of the largest banks in Australia (Westpac) used to require passwords to be exactly 6 characters (no more, no less) and they were case insensitive. It also had a fun ‘denial of service’ attack built-in: If you got it wrong three times, it’d lock the account and force you to go to the bank to unlock it, meaning anyone that knew your bank username could lock you out of your account and cause some pretty big headaches. Fun.
In fact, I’m not sur whether they ever fixed this. Haven’t used their services in a long time.
But they had a strict lockout policy, right? Right?
I like the DocuSign model. Just focus on securing your one account (email) and then make all the others use it as single factor.
Until you get locked out of your email account and can no longer access anything. This happens all the time with freemail (Gmail, Hotmail, Yahoo, etc) accounts.
The contents of mails also shouldn’t be considered secure. I like the idea of doing proper SSO through an email provider though - for example, using OIDC (OpenID Connect).
There is also use a password manager and reset the password everytime because the site blocks them and locks it out.
I have relatively long Passwords, because why not, and had problems with pages restricting the number of characters you can enter in the login window, but not the registration window. Or restricting password length and cutting your password off, but not telling you about it, so you gotta figure out that they set the first 30 characters of the saved password as your password.
Always fun to deal with. I could make it a lot easier for me by just using shorter passwords, but I think deep down I’m a masochist.
The worst version of this I’ve ever seen is a site that enforced a password policy on the “current password” field on the “change password” interface. I had an existing password that violated their policy (either because they changed the policy or a technician created a “temporary” password for me, I forget), and I could not change it to a proper password because my current password would get rejected.
I have several password manager plugins installed on my browser, along with the built-in password managers in the browser and the OS itself, because I like seeing them all fight over the password field.
Typos is why I don’t make mine longer or more complicated.
Bitwarden inserts them automatically, and if I ever have to do it manually for some reason, it just doubles the fun. Hasn’t happened to me yet, though.
That strongly depends on whether you are allowed to copy and paste:-)
If I can’t paste my password I will almost always choose not to use the site, if I have the option. I can’t understand why they would prevent that.
https://gist.github.com/JeninaAngelin/d87c67e33f6dfda46fff723121cd622a
A good password wallet clears the clipboard after a timer expires.