| General > General Technical Chat |
| 2FA two step verification & the obsession with security |
| << < (8/15) > >> |
| mansaxel:
--- Quote from: metebalci on February 14, 2022, 06:37:24 am --- I wonder why you dont trust an online pass generator ? --- End quote --- The risk analysis matrix becomes a lot bigger if you have to extend trust (however small) to the people who clean the room where the computer that hosts the logs from the password generation service lives. Ideally, one should do private key generation on a permanently offline system, and only export data on read-only media, preferably smart cards, which then are used as intended (not only as carriers, but using the compute on-card to sign data using the private key). Since doing that is a major ass-ache, I have settled for using a local random generator on my frequently patched computer, and then storing the passwords encrypted on local disk. I believe this is a trade-off that is reasonable in my situation. |
| richard.cs:
--- Quote from: dunkemhigh on February 13, 2022, 12:37:26 am --- --- Quote ---I'm more upset about rules for passwords, that is really getting out of hand. --- End quote --- No kidding. I have to use a system where the password must be >12 characters, contain letters, numbers, caps (but fortunately no punctuation, yet), and can't be one that's been used before. And you get forced to change it every 4 weeks. Sometimes I want to cry. --- End quote --- I had one a few weeks ago where it had some perverse combination of password requirements and didn't tell you what they were. It would also drop you back a couple of pages if it didn't like your password. It took me 10 minutes to construct a password it would eat, and I still have only a vague idea what the requirements actually are (something along the lines of 3 each of lowercase, uppercase, numbers and symbols, plus a minimum of around 16 characters and some rules around repeated-characters). |
| JohanH:
The updated NIST guidelines are going in a sensible direction, with recommendation on reducing complexity, allowing for unicode characters and elimination of expiration: https://stealthbits.com/blog/nist-password-guidelines/ (random blog that explains changes in NIST guidelines). Now it will take a couple of decades for companies to follow recommendations. Some seem to be stuck in the 90's. And HARD. With head in the sand. |
| madires:
--- Quote from: mansaxel on February 13, 2022, 09:11:16 pm ---For all those things where MFA is not an option, an unique password is required. And since you now will have several hundred accounts (I just counted mine to 220) you need a password manager. And, since you need a password manager, a random password generator is now a sensible thing. Because you can forget the passwords, and therefore make them complex enough to be very expensive to crack. --- End quote --- I recommend to use an offline pasword manager. They also include a password generator. Just choose the length and the characters types. Very simple and effective. Most password managers support some sort of login automation - also very handy. And don't forget to backup the database and to place a cleartext copy in the safe. |
| JohanH:
--- Quote from: madires on February 14, 2022, 02:31:12 pm --- I recommend to use an offline pasword manager. They also include a password generator. Just choose the length and the characters types. Very simple and effective. Most password managers support some sort of login automation - also very handy. And don't forget to backup the database and to place a cleartext copy in the safe. --- End quote --- I used Keepass variants for many years (on different devices and operating systems). I even used a terminal variant on linux. Now I'm a bit lazy and have moved my private passwords to Bitwarden. It is open source and you can run your own instance. Only stupidity, it doesn't support storing a full PGP private key (have to cut it in half due to size). For 2FA application I use AndOTP. Important is that it supports backup and export of codes, so that you can restore TOTP codes if your device fails. |
| Navigation |
| Message Index |
| Next page |
| Previous page |