Any company that still insists on forced password resets and frequent changes needs to learn about Social Engineering and Human Factors.
These are the same companies that don't support second factors, only have their app as a second factor, or only SMS second factor. Is it too much to ask for smart card or token (yubikey) support?
You are viewing a single comment
I hate that stuff. Also websites that have lots of specific conditions for what a password contains. You're just increasing the likelihood of me forgetting it.
I started using a password manager for a lot of my passwords. Works pretty well, it’ll generate criteria matching passwords for me. Also functions as a list of websites I’ve created accounts with.
Forgetting it?? All you have to do is scribble it on a little slip of paper in your top drawer like 90% of people do. Very secure.
Top drawer ! I think you it's still more secure than most of my colleagues. It's usually a post it on the monitor.
Post it on the monitor is for session password. For the 5 others, there is a txt file on the desktop!
And if you don't forget it, you'll use a simple one that's easy to guess or contains common substitutions, p@$$w0rd!. And then when you do forget it you'll call support who will reset it, and they get so many calls it will make taking over another account easier.
In case you haven't already seen it yet there's The Password Game to drive this point home
I don't think I've gotten past finding the correct length video. Getting that to work with everything else and keeping what's his face alive is just too much.
Use a password manager my guy
on a work computer?
You can use the manager on your phone to display the password you're having a hard time remembering sonyou can manually type it in, while still keeping it stored securely instead of just a plain text note on your phone.
You can also login to your password manager via web browser to copy/paste between it and login pages. Wouldn't be my choice, but it's an option. (not gonna enter my password vaults details on a work computer unless that vault only contains work logins.)
I don't trust them.
Even locally? https://keepassxc.org/ can be an option
I didn't either, so I self-host mine via vaultwarden. My passwords never leave my own systems (unless being used to login ofc), except for transit between my server and client devices. That is encrypted before storage or flight then wrapped in tls for https and again for a vpn connection (also self-hosted).