@RGB3x3@lemmy.world
link
fedilink
English
399M

The big brain move is going to reset your password, getting told you can’t use your current password when you type in a “new” one, then going back to the login screen to log in.

Big brain move is going to reset your password, seeing what their obscure password requirements are, then remembering your password and going back to the login screen to log in.

@RGB3x3@lemmy.world
link
fedilink
English
19M

I really wish sites with those stupid restricted complexity requirements would just say what they are on the login screen.

“We only allow ‘&#@!()’ because we don’t understand password security, you’re welcome.”

And have the password still not work.

@Omega_Haxors@lemmy.ml
link
fedilink
English
189M

Step 1) Activate 2-Factor authentication

Step 2) Authentication system fucks up

Step 3) Locked out of your own account

True story. x2

For any self-hosted services you use, run something like Authentik and configure all the apps to use it for auth via OIDC (OpenID Connect). Makes the experience a lot nicer, instead of every service having its own separate user system.

slazer2au
link
fedilink
English
29M

You still want a local account though. Learnt that the hard way.

Why? In case authentik goes down, so you can recover data? Or something else?

I am settting up authentik and other selfhosted services right now and my plan was for authentik to have all the accounts.

shastaxc
link
fedilink
29M

I use Keycloak at work. How does Authentik compare?

I’ve never tried Keycloak so I’m not sure, sorry.

One feature Authentik has that I don’t think Authelia nor Keycloak support is operating as an LDAP server. With Authelia at least, you have to run a separate LDAP server if you need LDAP. With Authentik, it’s built in.

shastaxc
link
fedilink
19M

I guess I’ll have to do the research myself. Ohh bother. I can tell you that Keycloak can use a postgresql db or ldap but it is not built in. I honestly really dislike LDAP though. It’s an old protocol that has terrible client support and the only real reason to use it imo is if you need to support really high number of users and traffic, like in the millions.

I don’t like it either, but there’s probably some apps that only support LDAP.

Color
link
fedilink
139M

Whenever I feel that my passwords are insecure, I offer them a few encouraging words.

This comment has big ‘i did a thing’ energy. Alex, is that you?

RBG
link
fedilink
79M

Hey, unrelated question, what’s the mother’s maiden name of your password?

Color
link
fedilink
59M

If I told you, then my password would be insecure. You see, that’s a sensitive case for them.

Ah yes, they’ll never obtain my password if not even I know it.

r00ty
link
fedilink
689M

It’s all good until you get into a dependency loop with your email account passwords needing resetting, that have the email from the other account that needs resetting :P

That’s easy, just create new accounts every time you login.

And everything is done in Tails.

Can’t one open multiple tabs open at once?

If you think about it the last option is a way to use login via 2fa

@Redacted@lemmy.world
link
fedilink
English
829M

Nah it’s just SFA with extra steps.

Magic link login with extra steps

This is more correct

But you only need one factor, access to your inbox?

Shit, are we getting to that point where all non-password logins are “2fa” like how all denial of services are “DDoS”

@neidu2@feddit.nl
link
fedilink
39
edit-2
9M

So it’s more like SSO authentication

SSO without 2FA

Unless your email has 2fa?

DacoTaco
link
fedilink
49M

Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email’s inbox )!

… Its still a shit security design. Better to have username, pass and a security key hehe

Hmh, I guess, though I feel this is a bit more complicated. What if you can look up the username in the registration mail sent to the inbox? Or it’s a site that uses email addresses as usernames? Is it knowing if said knowledge is inferrable from the thing you have?

DacoTaco
link
fedilink
19M

I think you got it wrong what i meant (?)
Imagine i register on a website with my username ( DacoTaco ) and email ( someEmail@domain.com ). When i want to reset my password and click the “forgot password” link, it would ask my username, not my email address (something i know) and send me an email ( to someEmail@domain.com ) without reporting what email it sent it too. That way it could be considered a separate identity factor i think (access to the mailbox, something you have ).
Websites generally dont work this way, i know. But thats how id implement it :')

Thanks for clarifying. I was mostly trying to apply that scenario to a likely real world one, but there’s definitely cases in which it could be two factor.

Sign a random string with your private key to be verified by a public key on server.

@4am@lemm.ee
link
fedilink
79M

You’re describing Passkeys/WebAuthN

teleprint-me
link
fedilink
English
3
edit-2
9M

Just need a password to sign now. 🥲

Use passkeys

One of each please.

deleted by creator

Forgot to add “Add a comma in your password, so if the all the user logins get leak, it will destroy the CSV file it gets uploaded to”.

Nailbar
link
fedilink
69M

Add a drop table statement to it while you’re at it

@OneBeer@lemm.ee
link
fedilink
English
79M

It won’t destroy the .csv file, but your (below standard) client might have issues reading it. That woman from The Office knows those are not the same thing.

We have the worst password policy I’ve ever dealt with at my current employer.

My employer software has us log in with just our password, no username. I don’t know exactly what’s going on in the backend but I know I don’t like it.

The highly regarded password policy of my last employer was one of the many things that pushed me over the edge and made me leave for greener pastures. I had to manage something like 9 different passwords, with the main one having changed to 16 chars min with all of the usual number/symbol/CAP requirements.

Create a new account every time?

Change password every day, and the required password length and complexity increases each time you change your password.

idunnololz
link
fedilink
239M

Password game irl

Bitwarden has a password generator that you can set criteria for, been really helpful with one of my janky logins

My bank has, for being a bank, very very bad character support. Best thing is, I’m basically gonna work for that bank.

Karyoplasma
link
fedilink
159M

For years my bank only allowed numerical passwords. The maximum length was 8.

They changed it somewhat recently.

me when my bank is less secure than a fucking door lock

One of the largest banks in Australia (Westpac) used to require passwords to be exactly 6 characters (no more, no less) and they were case insensitive. It also had a fun ‘denial of service’ attack built-in: If you got it wrong three times, it’d lock the account and force you to go to the bank to unlock it, meaning anyone that knew your bank username could lock you out of your account and cause some pretty big headaches. Fun.

In fact, I’m not sur whether they ever fixed this. Haven’t used their services in a long time.

But they had a strict lockout policy, right? Right?

I like the DocuSign model. Just focus on securing your one account (email) and then make all the others use it as single factor.

Until you get locked out of your email account and can no longer access anything. This happens all the time with freemail (Gmail, Hotmail, Yahoo, etc) accounts.

The contents of mails also shouldn’t be considered secure. I like the idea of doing proper SSO through an email provider though - for example, using OIDC (OpenID Connect).

@RedWeasel@lemmy.world
link
fedilink
English
159M

There is also use a password manager and reset the password everytime because the site blocks them and locks it out.

I have relatively long Passwords, because why not, and had problems with pages restricting the number of characters you can enter in the login window, but not the registration window. Or restricting password length and cutting your password off, but not telling you about it, so you gotta figure out that they set the first 30 characters of the saved password as your password.

Always fun to deal with. I could make it a lot easier for me by just using shorter passwords, but I think deep down I’m a masochist.

The worst version of this I’ve ever seen is a site that enforced a password policy on the “current password” field on the “change password” interface. I had an existing password that violated their policy (either because they changed the policy or a technician created a “temporary” password for me, I forget), and I could not change it to a proper password because my current password would get rejected.

I have several password manager plugins installed on my browser, along with the built-in password managers in the browser and the OS itself, because I like seeing them all fight over the password field.

I have relatively long Passwords, because why not

Typos is why I don’t make mine longer or more complicated.

Bitwarden inserts them automatically, and if I ever have to do it manually for some reason, it just doubles the fun. Hasn’t happened to me yet, though.

That strongly depends on whether you are allowed to copy and paste:-)

If I can’t paste my password I will almost always choose not to use the site, if I have the option. I can’t understand why they would prevent that.

teleprint-me
link
fedilink
English
1
edit-2
9M

https://gist.github.com/JeninaAngelin/d87c67e33f6dfda46fff723121cd622a

A good password wallet clears the clipboard after a timer expires.

Create a post

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

  • Posts must be relevant to programming, programmers, or computer science.
  • No NSFW content.
  • Jokes must be in good taste. No hate speech, bigotry, etc.
  • 1 user online
  • 50 users / day
  • 169 users / week
  • 442 users / month
  • 2.42K users / 6 months
  • 1 subscriber
  • 1.61K Posts
  • 35.6K Comments
  • Modlog