I combine the names of fourth tier alternative bands from the 90s.
My Sister’s Machine
Sister Machine Gun
Monster Voodoo Machine
My Sister’s Monster Voodoo Machine Gun
We use long gobbledygook passwords for all our accounts, save social media. Stuff that looks like a cat wandered across the keyboard. Social stuff is still non-words, but alphanumeric strings that have meaning to us and are easier to remember.
We save them in a password file on our computer, which is strongly encrypted (AES standard, with multiple passphrases required to decrypt). When traveling, we take this (and some other financial docs) with us, encrypted on both a laptop and a separate thumbdrive. Since we take long trips sometimes, it’s necessary to handle some stuff away from home.
When I was still working, and had to keep up with dozen+ separate passwords it was harder. I wasn’t allowed to store them, they changed every 6 weeks, and all the passwords (for each system) were required to be different. I used an “algorithm” in my head, along with a road atlas (put one at each location I was responsible for). Memorized a set of character strings which covered all the special/numeric/capitalized requirements and code-named them in my mind. Then used my memory of various vacations to “travel” along the routes on the road atlas. Using the special char strings either as prefix or suffix, I could derive the password at each place, even if I hadn’t visited in months (it was fairly easy to remember the last town I used). I could then leave a note somewhere that cryptically referred to the local password pre/suffix and trip, but wasn’t decodable by anyone but me (including security, if they found it).
Our office has something like thirty passwords for various things, all with different formatting requirements, some quite rigid like ‘only eight characters, no more, no less. And no repeats or sequentials. And one has to be capital. And one has to be a number.’
Of course you end up writing them down, as well as keeping a list of them in the laptop.
One of my co-workers had a bunch of bar code stickers on his desk for the various passwords less two characters which were always the same. He’d scan the sticker and type in the final two characters.
This is called peppering, but if someone is aware of what you are doing adding a couple of bytes is trivial to crack.
Vietnamese.
sp4KH.png (962×211) (imgur.com)
If you’re someone who regularly speaks, thinks, writes…and most importantly…types in vietnamese,
all those accents, umlauts, limacons, etc, will come rather effortlessly.
Do some password fields have a time limit which will time out if you don’t fill it fast enough?
I think the best method is like the best method of growing lush grass under trees: don’t.
I have, as it happens, 200 passwords in my password manager. Mostly I create them by stabbing blindly at my keyboard, on the letters, on the letters with the shift key down, on the number row, and on the number row with the shift down.
I’m actually waiting for the computer world to get its shit together and deliver some more reasonable approach, biometrics or something.
I haven’t encountered this yet. Your theory makes sense, but one other theory is that they don’t want you copying passwords onto your clipboard, where it gets stored and can later be retrieved later by malware.
In WIndows, it’s common to use CTRL+v to paste the most recent thing that was copied to the clipboard. But the clipboard actually stores a whole queue of the twenty most recent things you copied. You can access this with WIN+v. It’s a handy tool because you can pin copied items there if you need to paste them on a frequent basis. Example, I have a few different form emails that I send to people, and each of those emails is pinned to my clipboard for quick access.
Anyway, if you copy a password to your clipboard, it will stay up there until you’ve copied another twenty things and pushed your password off the bottom end. Some sites may be prohibiting the pasting of passwords in order to discourage you from putting your password on your clipboard every time you visit their site in the future.
It is a good thought, but if there is malware on your computer, then it is already game over.
Bitwarden, and possibly others, give the option to clear the clipboard after a short period of time. Having something secret is a potential vulnerability, but unless you’ve really messed up your browser settings, a random website is not able to read your clipboard, unless you actually paste to the site.
My understanding is mobile may be a bit different, with the foreground app able to read the clipboard. IOS, and maybe Android, I don’t remember, will show an alert like “Safari read from the clipboard” or something.
An interface that lets the password manager write directly into the username and password fields is much better. This works for me in browser with the Bitwarden browser extension, and on mobile with the app. Pasting is a fall back option when either the website or app won’t accept the direct input.
“Passkey” is the current new approach. Instead of entering a password on a remote site, the remote site queries your passkey host, which connects to a device you have, and then makes you unlock your phone, or enter a password on your computer, or something. Once you’ve done that then the site you’re logging into is informed you are who you say you are, and it lets you in.
That is simplified to the point of probably being wrong, and there is fun cryptographic stuff going on so nobody can fake being your unlocked phone, and the passkey host can’t get in. There are also convenience features so you can use your authorized laptop to authorize your new phone, etc. It also should be vendor neutral, so you aren’t locked into using Google or someone, but can use any service that is able to provide the passkey service.
I created a passkey to sign into Github, and the passkey is stored in my personal Bitwarden server. When I go to login I click on sign-in with passkey, and my browser prompts me to enter my Bitwarden password, and then I’m logged into Github. Not really any harder than using the password manager, as it would just auto fill the password on Github, but it’s new, and exciting.
I think even more likely is that someone said “Let’s prevent copy and paste; that’ll improve security!”, without ever actually stopping and thinking about how it would improve security. It just seems like the sort of thing that would.
Agree with @Chronos; this is some moron’s idea of security.
Which might, 15 years ago, have gotten onto some “best practices” document that is passed around like some ancient papyrus scroll of god-given knowledge that must never be updated or examined critically.
I agree with this, with the exception that, based on the experience I mentioned above advocating modern security practices to our financial-institution clients, that list is likely to be 30 years old, with scribbled notes in the margin “refining and updating” the ancient principles.
I almost added something like this to my post. But I don’t think this will work, because the greedheads will fuck it all up. More and more passkey hosts will appear, and will diverge and become incompatible, and the plan will be that everyplace you sign into will be able to use every passkey host but this will quickly fall apart. Passkey hosts will become like the sites that now require separate authentication, more or less individual stepping stones into each destination site.
It won’t go all the way there. I think this is like browsers. We gradually accumulate more and more browsers, to deal with sites that don’t work well with whatever browsers we most use.
And it’s a little like those sites that post reviews of medical doctors. It must cost almost nothing to create a new site with doctor reviews. Around here, at least, there are more doctor review sites than there are doctors, and if you’re choosing between two individual doctors you won’t find a site that reviews both of them.
Or a bit like streaming services. There are so many of them that searching for content doesn’t really work within a streaming service, you have to search for the streaming service that hosts the content you want.
The longer I live in the United States, the more tired I get of the hustling ethos. There are the same numbers of people and entities creating goods or services, but increasingly populated layers of people and entities trying to insert themselves into the revenue stream between customers and those goods and services.
Anyone use a security key? I’m curious how that works.
I use security keys. They work very well when implemented correctly. I put in my pin for the key, tap the key, and I’m in.
Can’t be fished, and the bad folks would have to get the physical key.
I don’t see the different providers Messi g up passkeys. They’ve had TOTP included in countless authenticators and password managers for years with no issues.
Funny you describe it like that, because I use the same word, except I’m coming at it from the other direction, an American who relocated to Europe several years ago. People here ask me to describe how American culture is different, and I have settled on the answer: everything is a hustle.
And I agree with you that the hustle will screw up unified authentication if given the opportunity.
Since you specified remembering a long password, I figure a short one isn’t a problem.
I also figure you can type the short one twice.
I type mine three times for extra security.
And for discourse.