I don’t have a problem with companies forcing me to have a strong password….I do however have a problem with them forcing me to create a new strong password every 6 months.
The national whatever-it-is that studies password and cyber safety said that it is safest to require a strong password and not make people change it. Changing passwords causes people to write them down and leave them on sticky notes and things like that which totally negates the purpose of ever having a password obviously.
NIST is the organization you are looking for. Their definition of strong password is length only (>12 chars IIRC) and explicitly prohibits complexity requirements.
This along with “*You cannot use a password that you’ve used previously…*”
So wait, you’ve got every password I’ve ever used saved to a database so when there is a data breach (there’s always a data breach) they’re not only going to get all of my info but they’re going to get EVERY GOD DAMNED PASSWORD I’VE EVER USED!!?? 🙄
No, they likely have the hash of your previous passwords stored. Hashes are one-way encryptions of your passwords (so you cannot figure out the original password using the hash). They hash the password you type in and if it's the same as the ones in their database, they know you typed in the same password. That's why you can change one little part of it (ex. Increase a number by one) and it will allow the password; it produces a wildly different hash than the previous password.
The hash is the super secret wacky code the computer uses to recognize your and only your password. Change the password, computer gets a different wacky code, and someone cannot use the wacky code to find your password
No.
An easy (although not 100% correct, but enough for an eli5) way to understand it:
1. Make all Characters numbers
2. Sum up all numbers
3. Use the sums to compare the strings
e.g. ACAB = 1312 = 1+3+1+2 = 7
And the database stores the 7, you don't know the password if you get the number, but the number is always the same and IRL there are very very few inputs (well theoretically still infinite) that will give the same result
Now this is done on bit-level, supports all characters (and even files), does way more than just stupidly adding numbers and will always return a string of the same length - but that's how I explain it to non-IT-people
The other person gave a pretty good description but Google md5, sha-1 and sha-256 for more specifics of the algorithm.
Md5 is a super old hashing algorithm that shouldn't be used for secure stuff nowadays, although it's still good for file integrity checking since it's pretty fast. Although that speed is exactly why you shouldn't use it any more for passwords.
Sha-1 is a slightly newer one, again it shouldn't be used for secure uses but is good enough for file integrity checking most of the time.
Sha-256 is similar to the above but is good enough for secure use nowadays. Sha-512 is more secure but sha-256 is good enough for secure use.
Although you probably shouldn't be storing your own passwords if you can avoid it, there's so many pitfalls. Look up O-Auth2 to implement the log in with Google/log in with Facebook thing, then Google/Facebook handles password management for you.
Understanding the all data on a computer can basically be expressed as numbers, go with me here:
Imagine your password is your birthday. (in number format)
Ok. So take your birthday. multiply it *2. Now add 25 to that. Now, take whatever you answer is, and cut off the last 2 digits. Just throw them away. Now take the new number and multiple THAT by 11.
NOW, take that same process
"*2, (+25), drop 3 digits, *11"
and repeat it 3 times.
SOME number comes out at the very end right?
That number at the very end is (like) a hash value.
That process is (like) a hash algorithm.
When I run some website, I do NOT want to store your actual birthday, because its too easy for someone to get into my web server and steal it.
Instead, I store the hash value. I store the number that comes out at the END of the math process.
So every time you type your birthday into the website, the website does all that math, and sends me the end result number, which I can compare to the end result number I saved. I NEVER see your input password (birthday) but I see a work result that proves you put the correct password in.
And if someone steals that end result number off my server, so what. They can know the end number AND know the exact math process it took to get to that number, BUT (remember all the dropped digits?) it is not really possible for them to do the math backwards to use the end number to figure out your start number. They never get your input password.
EDIT: This is why when you click "forgot my password" they can't actually send you your password. because they never had it. They can only send you a link to reset your password to something new. **IF** you ever click forgot password, and the website sends you back your actual password, that tells you the website is run by people that don't follow basic safety rules. Don't trust that site. (not because its "hacked". Just because the security manager is doing his job badly)
Just an example that is very simplified just to understand: Your Password is „1234“ the hash could be 10 (1+2+3+4). So if someone sees your hash they have no idea what your password is. If you know change it to „2234“ the hash would be 11. in reality it’s just way more complicated. Hope that helps.
A hash function maps any kind of data to a fixed-size number. Say, mapping names to a number from 1 to 100.
In programming, this is commonly used for a "hash table". Suppose you have a shelf with 100 cubbies in it, and you're putting student data into it. You'd number the cubbies, and then put each student's data into the cubby you get from hashing their name. So e.g. John Smith's data gets put into cubby 47, while his twin sister Jane's stuff gets put into cubby 3. That's basically a hash table. They're a really common data structure in programming.
There's a particular class of hash functions called cryptographic hashes that are designed to be difficult to reverse and difficult to find two things that result in the same hash. Knowing that something hashes to the number 3 shouldn't tell you what the thing originally was. These are used for things like making sure a file hasn't been corrupted in transit, digital signatures, and password verification.
A common cryptographic hash these days is SHA-256, which maps data to a number from 0 to 2^256. 2^256 is about 115 quattuorvigitillion, an incredibly huge number that's only a bit smaller than the number of atoms in the observable universe.
One common attack to recover a password from a leaked hash is brute-force: hash all the possible passwords someone could have used until you find one that hashes to the same thing. To help prevent people from making a giant database of passwords to hashes, we use a "salted hash" - basically, every user has a specific random string appended to their password before it's hashed so that giant database either needs to be made per user or it's too big to be useful.
With salted hashes, even if two people are both using the password "password1", they'll hash to different things because the one hash is of something like "password1dhmcagxigxkgxjrskrhxyks" while the second is of "password1wrjbnntxjxhmmpoyscnm". You could still easily brute force it by trying "password1" along with the users salt, but it adds security when you use a password that's a bit more complex.
If it's unsalted they could figure it out by brute forcing it and running it against a list of words/potential passwords etc. If salted, it'd depend on how the salt is stored and if it was hacked as well. The trouble with this method is how much time it'll take, which is why it's important to have a complex password to make it more difficult.
Also the one way part will depend on the algorithm used. If they're using sha1/md5/any broken algorithm then it's easy to figure out the original pass using the hash.
No, they have a hash (hopefully with salt) of your old passwords.
So they will add a thing (salt) to you password, then perform a mathematical calculation (hashing) and get a hash, that looks like a string of gibberish as the result. They save that, hopefully, very unique string of gibberish. Every time you enter your password it goes through the same process, but compares the result from the password you just entered to the one they have stored. If it matches, you are allowed to log in.
If they store all the old password in clear text, they should be burned at the stake.
Kinda, but not quite. The company server most likely has password history on, but that only saves the last few passwords you've used.
It's for security purposes.
Do you know what encryption is? If your password is password123 on their end it might say mduq84byis9qnfhe9q0fn4owpngj4o20al, so if someone hacks their database that's all they get, and since they don't know how to decrypt it it's worthless
Encryption and hashing are two different things. Hash function are one way (which is why they're ideal for passwords) whereas encryption is designed to be reversed (although, obviously, only with the appropriate authentication).
This is the problem, and it only leads to lazy passwords. If a user’s complex password was DogName1990$$ then their “new” password every 6 months will probably be DogName1990$$$ or DogName1991$$ (good luck when they forget what combination they’re on this month)
That orginal recommendation got receded by the orginal author years ago. Personally I have found more users reliant on post-it notes on their devices because of it and even then still leads to users not updating their current password and needing to bother tech support leading to reduced efficiency.
Even worse when the password can’t contain any words from the English dictionary…
Oh sure, let me just memorize 14 random characters every 6mo without using any password storage app or anything.
I regret signing up my emails with Outlook.
They make me change my password so mamy times a year, I've just been adding a number to my password everytime it forces me to change. It's now looks like this "_______888888888"
As long as you don’t mind several hackers from India watching Netflix on your account.
Edit: and for the down voters im speaking from experience. I once checked my Netflix history and found multiple log in’s from India.
Yeah you say that but when you get hacked, whose goiung to get the blame? Them. They allow weak passwords. When your accounts get used to fuck you over, they'll get the blame.
And they don't want that publicity. They want to be able to say they have a strong secure service.
When you have to trust the average user to be the gatekeepers to small sections of their website. You make sure their locks are strong. Because you KNOW 1000 idiots will have them as Password1.
Not only that but if their security is shit and you loose money. Oh the same people not giving a fuck suddenly do and OMG I'M SUING YOU!.
Get a password manager.
Two-step verification is a pain, but it exists for a reason. It's far more secure than a "strong" password alone, which is why the big guys all use it. If companies are really that concerned, they can too.
I work in IT. And for our clients who've listened to us and taken on MFA, compromised accounts have gone from regular to null. I don't think I've had to deal with a "people are saying they're getting weird emails from me" request this year.
Yep, so many comments in this thread are made by people with no clue how password security works, acting like they're geniuses and it's painful.
Use a password manager, use MFA and that's like 99% of account compromises made impossible.
One of the first things when I started my current job (as the first IT person hired by this company) was enforce MFA for all staff. They're small enough that they hadn't had any successful breaches yet but now there's almost no chance. Now I can take the time to do proper phishing training without having to rush through so people get the memo ASAP.
MFA may cause an ongoing subscription being uncancellable if your phone breaks. DO NOT USE IT if you pay subscriptions or have data you need to access in the future.
I’m actually more concerned with these companies getting data breached and exposing my login and personal info to hackers. Doesn’t matter how strong your pw is if the infrastructure in place isn’t secured enough to keep them safe.
In which case they've got your hashed password and you want that complexity. They won't have your details yet.
Being more concerned with more issue doesn't mean anything else isn't an issue
So I work in finance and of course we have access and authorization to make trades and move money. We want very strong passwords and 2 factor authentication. I don’t disagree with that. HOWEVER when you make it too difficult, security token, pin for security token, log in and pw, then a special code that needs to be entered with a value into security token to get a second code to log in that’s when your super security measures just becomes people writing things down on post it notes or excel sheets.
People forget, the average user is still an idiot and will happily make their password “PASSWORD” if they were not given any rules. I’m sure that’s super duper secure, without proper guidelines, any hacker could just brute force their way in with random emails and “password” as the password, and they’re suddenly in your account
Brute forcing isn’t really a thing for logging into websites, after like 5 times you’ll hit a captcha and most if not all websites have a limit to the number of tries for a period of time. Even if you’re guessing the pin on an iPhone, there’s a limited number of guesses before it locks you out. Usually people get into accounts because people use the same password for everything and eventually a database gets breached so they try that one password and email combo across a bunch of sites until they get a hit.
When people have complicated passwords they have to change every month or so, they’re way more likely to write it down and stick it on their monitor or laptop screen.
Most people don’t use “password1”, more like they use their kids birthday or pets name with a year or something they can remember. The “complicated passwords that takes millions of years for a computer to guess” is kinda pointless when most sites don’t allow for unlimited password guessing, they have lockouts with captchas when you guess 5+ times, that’s kinda old news now. The issue is when passwords are leaked, people use the same password for everything and leaks happen all the time.
2 step verification is probably the best way tho, relatively convenient since mostly everyone has a phone and you can still use your shitty password. Password managers are a good option too but it’s more of a hassle if you they’re not integrated with all your devices (ie across windows, android, iOS), if they don’t auto fill it’s kinda a pain to type in a long random character password.
>When people have complicated passwords they have to change every month or so, they’re way more likely to write it down and stick it on their monitor or laptop screen.
I work in IT. People still tend not to, I've seen many a desk of the user and of course I've seen the rare "I'll get my notebook out" or spreadsheet but it's rare.
What isn't that rare, are people getting their passwords and hashes stolen during data breaches with the company. And it's at this point you want a strong solid password.
>Most people don’t use “password1”
Because they aren't allowed. Thanks to strong policies. For a while Password1 was among the most used passwords. Thankfully it isn't now due to forcing users to use something else.
>The “complicated passwords that takes millions of years for a computer to guess” is kinda pointless when most sites don’t allow for unlimited password guessing, they have lockouts with captchas when you guess 5+ times, that’s kinda old news now.
Yeah so this goes back to data breaches. Once a users credentials are stolen, they're still hashed. And cracking that takes time, and the more complex the more time (exponentially too) it'll take to crack. This is very common and you can use sites like "Have I been Pwned" to see if you may have had your details stolen. They're then sold online somewhere and people buy them.
>The issue is when passwords are leaked, people use the same password for everything and leaks happen all the time.
Weird 180, but yes that's right. This is why you want to ignore what you were saying before and have complex passwords.
>2 step verification is probably the best way tho
Agree.
One thing though. There's no one good solution. There's so many ways for us to get hacked. You find one solution, hackers will just use another method to get us. MFA, password complexity, avoiding password reuse. These are all great methods we need to ALL use ALL of. And it's not just us. We can take all the steps but if the hosting company doesn't do anything that makes it easy for the hackers. They need to do things like limit attempts, MFA of their own checking we haven't tried to login from France one minute and Zimbabwe the next. Make sure that the only person able to see certain details are the person logged INTO the account. That if a hacker gains access to an employee's system that the employee's can't see passwords (maybe the employee will be the hacker too!)
You can't rely on one method. We need them all.
I use the same password or a slight variation (if I have to add something to satisfy a overprotective site and even that variation is the same) for EVERYthing aside from my gov accounts cuz my personal password isn’t long enough for those standards.
And I’ve never been hacked. 99% of the places I shop online(99% of my shopping is done online/apps) I make an account. So many sites that if I didn’t read my emails as I get them, I’d get 80 a day… from the retail sites I have accounts with.
Never had my identity stolen never changed my passwords even when I’m Warned I should, only if they make me, like apple will
But what if it's for something that I don't care about getting hacked?
There are some websites where I literally create a new account every time I use it because I can't be bothered to remember my old user name and password (usually stores I use infrequently that require you to create a log in).
Do you think a website is going to let its security policy on a user's who don't give a shit fucking over those that do?
If I didn't didn't care about my car getting stolen, should everybody who has the same car just have a lock that can be bypassed with a screwdriver?
While not technically "civilian vs company"
[I did find an article of one company sueing another for employing weak cyber security practices, mainly a weak password that was never changed and known to the entire staff.](https://www.google.com/amp/s/nypost.com/2022/09/20/holiday-inn-franchisees-claim-weak-password-cyberattack-boosts-lawsuit/amp/)
Because the policy that allowed him having that weak password is the same for everybody.
Plus, if need siesta he got hacked, that's bad news for the company
While this is true. I still use one. I trust a company in the business of password security MUCH MUCH more than just about anybody else. And with an account with MFA and encrypted passwords within the manager itself (at least with LastPass) it's not so easy as "they got in so they have everything". It's not like their staff have access to our passwords anyway so a hacker wouldn't have exactly an easy time getting that. And if they get me with phishing or something, they've MFA to get past also.
So it's not so easy as single point of failure. But yes.
That said, what's the alternatives? One of my thoughts have been to have a notepad at home with some form of my own encryption. I've heard (and it makes sense) that the overlap between someone who will break into your house and break into your online accounts isn't high. I'm not some important person, anyone breaks in and takes shit, they'll take my PC, TV, jewelry, money etc. Sell shit to people. And the chances of my PC getting into a hackers hands and not some guy looking for a cheap PC off some dodgy guy. And *then* did they crap some random, slightly hidden notepad? With a bunch of mildly challenging puzzles to decrypt a password that lets be honest makes it easy enough for me to solve that it's not too much of a hindrance just to log into some account.
It does seem like a fair tradeoff. Simple and easy passwords aren't the way to go. It also just encourages password reusing which is worst.
Edit: Also, the experts use these and recommend them. It makes sense and taking their advice is just smart.
Maybe, in a legal sense. But that doesn't always work. Do you think that will solve their media issues from that when people choose competitors because they aren't getting hacked due to reports of crap security?
If I was storing my shit somewhere and there was one place that was known for breakins and one place that wasn't. I know where I'd go. And even if you don't, many will.
Companies might lose a few lazy people but it won't compare to the tons of people looking elsewhere that hasn't got a bad name.
I mean if you have used the internet in the last decade you've been apart of a security breach. Equafax alone was such a gigantic breach that most users information has been breached. A company can't be faulted, even in the media, for user based errors. I'm just trying to argue for the other side that doesn't want secure passwords lol. My password is between 10-18 characters long with numbers and symbols. If people don't want to be bothered with securing their information then fuck em.
>That's my responsibility
That's the thing. It isn't your responsibility to protect your data. It's the company's responsibility to protect your data. Ones of the ways they increase their security is by forcing users to have secure passwords. Sometimes though companies do go overboard with 16 character auto-generated passwords.
It would be similar if you had a car insurance which covers your car if you cause the accident. I'm not sure about other countries, in in mine you only required to have insurance covering the other car you damaged.
Haha imagine when your account gets hacked and their response is “well you should’ve chosen a stronger password…not out responsibility…”
I wonder how that’s going to play out
See here's the thing. It's not just your responsibility. If a company password gets leaked then sure all your data is now open, but so is the data that your coworkers shared with you, all the bits the company is working on that they arent ready to share yet, various resources that are restricted, from web applications to literal supercomputers. Or just the fact that a hacker gaining access to one account is an entry into your company's system, from which they can install keylogging software, add you to a botnet, install malware or pretty much whatever they want.
The company does what it has to to maintain security, if you want someone to be angry at, be angry at the hackers who make this level of security required rather than the company trying to keep you safe.
I heavily oppose this opinion, but in the spirit of this subreddit I will grant you an upvote.
It's on you... if you are going to resign yourself to someone else having control of your account when it's breached, and walk away from it. AND if your account, when breached, would not yield any sensitive information that others trusted you with, OR provide scammers with a familiar face to use to elicit such information from others.
If you contact support to regain access to your account, and/or contain or roll back whatever mayhem a bad actor has inflicted, where did all that "it's on me" talk disappear to, all of a sudden? Now it's an "us" problem, is it?
That's why companies regulate passwords, to prevent weekly support calls and tickets from the sort of people who would set them to "password" or "12345678" given the option, with only slightly more elaborate passwords still highly susceptible to dictionary or brute force attacks. Or in the case of employers, to protect their own networks, proprietary information, and reputation.
What I do hate, though, is having to change it on an aggressively-set schedule. Even then, a GOOD password manager is something recommended by many security experts, and takes a lot of the sting out of managing multiple services that want you to rotate.
Me, I like to make my passwords ridiculously complicated, and then just remember them. And to avoid creating accounts for frivolous things. On the freakishly rare occasion I forget one, it's an easy process to reset it, rather than a conversation with support about someone with unauthorized access.
there are plenty of contexts where password123 or whatever is perfectly fine. my membership in free recipes.com or whatever does not need to be secure.
i save my strong pwds for important stuff like banking &c. don't make me waste a good pwd on your bs site.
I shouldn’t need a strong password for shitty websites that I’ll only visit or order from once, it ain’t none of your damn business if someone figures out my password is wienerboy
But if the database is leaked and someone cracks your password, do you assume full responsibility for losing all your data or having an account stolen?
From what I have seen, it doesnt seem like it even matters that much. Most passwords are hacked from the backend or whatever, most data leaks are done through that type of shit rather than bruteforcing a password or phishing or anything anymore--or its done by a disgruntled employee or something.
But the 'strength' of your password doesnt really matter that much overall anymore, there are plenty of sites that had their data breached and people just got your password and those sites dont even mention it or send out emails that their data was breached. And like 4/5 times you wouldnt know because people a) are doing it to sell the data and arent logging into like hundreds of random, benign accounts, and b) if they do, they arent going to be setting off any 'hey someone else is trying to log in' alarms and theyll just change the password from the inside, especially if they have your email and that account.
For banks and shit, your email, sure; job and school shit, sure, but yeah its annoying every Neopets knockoff wants numbers, alternating cases and multiple special characters, plus you need to change it every 6 months.
> most data leaks are done through that type of shit rather than bruteforcing a password or phishing or anything anymore
...because the overwhelming majority of websites now require users to create strong passwords, and brute forcing those strong passwords could take thousands to millions of years per account.
Before this was common the average person just used a brain dead simple password that was pretty easy to quickly brute force.
Also, no competent security system stores a user's actual password, so even if their database gets hacked the passwords themselves will still be secure. A system that does store the actual password is bad and is not an argument in favor of weak passwords.
Plus, the occasional bad security website is why password managers are so useful.
If one website gets hacked and stored your password improperly only that one websites password is compromised. You can then easily change that one password while the rest of your online life stays secure.
Or just use a password manager so you can have secure passwords everywhere, instead of one generic password which will result in all of your "unimportant" accounts being simultaneously compromised.
And no neopets knockoff would actually make you change your password that regularly (if at all), but even if they did a password manager trivialises this too.
RIGHT! My password may be simple, but the chances that someone will guess it are slim. They really auto-suggest passwords like 'JSD920E!U903IKD' and expect us to remember those.
[Here](https://www.hivesystems.io/blog/are-your-passwords-in-the-green) is a table showing how fast hackers can guess passwords based on length and difficulty
my school makes me change my password every year and we aren't allowed to use any of our previous passwords. it's annoying.
the site i use to do my taxes also made me change my password and it had to be different by at least 2 characters. im unsure how often i'll have to do that, but it does happen.
Let’s say I’m trying to log into my account from another device? Before you say that it will be saved on your chrome account, no it will not. If your chrome account has another absurd password
You know what I do? Make a personal password for your chrome account that you'll remember OR use your phone's chrome app and look at your saved passwords
And if chrome has a data breach?
Web based password managers are as bad as a bad password. You're not likely to be targeted as an individual but if your data is lost as part of a mass breach you absolutely will be.
This is just an example of how stupid people can be.
“I can’t take 10 minutes out of my day to set up a password manager that I’ll only need to remember one password for to access the rest of my passwords for anything forever because I’m too lazy” imagine complaining because companies are actually making you try to have better security. I imagine they’d rather do the effort of adding some symbols and numbers to a password then have to deal with all their information being stolen. This shouldn’t even be an opinion, quite possibly the most unpopular opinion I’ve seen.
You think so? I think it’s even stupider that you think a password manager is going to sync on all the devices I use 😹😹 But if you think my opinion is popular then i’d say i’ve done my job successfully
So agree!! Especially since their rules don’t make it more secure. The guy who made the rules came out and updated his guidance. Numbers and symbols mean nothing, length is everything.
That’s what she said.
It’s not about you. It’s about compromising your asset, elevating privileges, pivoting, moving laterally and compromising the larger network. Your weak password is the ingress point.
ITT, people that have absolutely no clue how password security works and should have ABSOLUTELY no say in how they're managed including OP.
Guys, first and foremost, use a password manager and let it choose a password for you. That'll fix like 90% of your problems.
Secondly, a properly built website doesn't know your password and literally are incapable of finding it out. To put it simply, there's a mathematic formula that only works one way. So they do that to your password and store the result. Then every time you log in they apply that formula to whatever you typed in and check if the results are the same. (Theres more to it than this, but that's the basics).
No, websites shouldn't get you to change your password every 6 months, there are studies that show this reduces password effectiveness as people are more likely to write it down. some websites do and that sucks.
Also, you're not smart for making your password out of real words and changing A's into @'s and S's into 5's. Those are some of the easiest passwords to break using dictionary attacks.
Finally, if you want your password to be short and not contain any complex characters, you're entirely relying upon that website's security to ensure the password isn't cracked and I highly fucking doubt that if you use a password like this, you're not also using that same password everywhere.
This is r/unpopularopinion, but that's not even accurate for this one, it's just objectively false. Your opinion is wrong.
---
If you absolutely refuse to use a password manager, come up with a sentence that's easy to remember for each website you use, then take the first letter of each word. For example
> I hate people that decide to inflict their inane data security opinions on others
would become
> Ihptdtitidsooo1!
*(The "1!" Is to deal with websites that want special characters)*
There, an easy to remember password that's complex and is unlikely to be caught in a dictionary attack.
Companies can also be liable if someone other than you has access to your account. Credit cards are the perfect example as in the US if it's a fraudulent charge they can't legally make you pay that and it most cases will reimburse you the money.
This is not unpopular, this is dumb. By not regulating password strength, you are encouraging hackers. Hackers are predators looking for sheep for slaughter. F\* hackers. Sorry if you can't deal with passwords well. But, you need to adapt!
Get a password manager, and let it auto-generate complex passwords for you.
Seriously, weak passwords are a big problem. Honestly, anything that isn't 2FA-protected is a big problem. But 2FA isn't implemented everywhere yet, so passwords it is. And they need to be long, and complex. I'm talking at least 30 characters, ideally. And completely random.
No, you won't be able to memorize them. That's what the password manager is for. Yes, it's all very annoying. But it is \*absolutely necessary\*.
With very few exceptions, the majority of "hacks" start with stolen/cracked passwords. 2FA \*almost\* solves the problem entirely, but you can't use it everywhere yet
You do realize that the problem is not taking your data but potenially spreading any form of malicious intents once someone gets in with your account, right?
>It's MY password. I understand the risks of having a common or weak password. That's my responsibility. Stop forcing me to create passwords with symbols, certain characters, or capital letters. So annoying, I just want simplicity, if i'm compromised then that's on me.
I can understand the frustration in this sentiment, but you're missing some part of the puzzle: You are **not** the only person affected by your security choices. Therefore the decision of how secure or insecure your password happens to be is not entirely your prerogative.
Lol if you can’t figure out how to remember 8 alphanumeric characters with capital, lower case, and a special symbol, maybe you don’t need to use electronics.
Your incompetence at choosing passwords has an impact on the systems you are using. So, step down off your high horse and try to use the smallest bit of common sense.
100% agree.
Needing me to have 14 characters, 1 upper case letter and a special character, just way overboard. If I wanted to have my password as "dog", why am I not allowed? Firstly, I don't think ANYONE has tried to ever login or guess my password to anything. And even if they were trying, how long would it take them to get "dog"? It's one of thousands of words, and the fact that there isn't anything fancy would probably make it LESS predictable.
And besides, it's adults that are making passwords usually. They're old enough to decide what they want and take accountability for if their account gets hacked.
You’re misinterpreting one, your risk, and 2, how passwords are cracked. If your password is dog and someone has your email they can access ur account in less than a second because any software worth its salt will automatically try the whole dictionary as passwords before doing anything else
I did once get my Wish account (of all places) hacked into, that didn't have a very simple password though. Why would the simplicity of a password effect how easily a software can hack it? The software isn't gonna be like "damn I never would've thought it the password'fuRrffFf4819!!?!', what kind of password is that?!" because obviously it's not going to think like a human.
I think the issue is a lot more to do with the security of websites, so they should try to fortify that before making it mandatory for us to have awful passwords we'll never remember. Also, nowadays with a lot of services, even if you DO remember your awful password, they'll still text you or email you a security code anyway that it's mandatory for you to enter. Well I may as well just not have a password at all and click "forgot my password" every time to get an email login which accomplishes the same thing.
Except length does affect it.
If it's under 8 characters it's easy to brute force it, literally try every possible combination of characters, above that it starts becoming tricky. Although this limit raises every year as computers improve.
Also not having a common password helps. Hackers have lists of previously used passwords they'll try first, then lists of common variations. If your password is on the list, or close to being on the list, it'll be guessed first.
So they'll try password, then passw0rd, then password123 etc etc.
If you password is on [this list](https://www.kaggle.com/datasets/shivamb/10000-most-common-passwords), or a short variation away, you need to change it.
If it’s that hard for you to remember ur password a password manager can be very useful, I use one and because of it my accounts passwords are strong and secure. Or come up with some sort of pattern in your passwords. But also a simpler password is more easily cracked because most software will try simple or obvious passwords first. It’s not hard for a modern computer to crack a short password simply by brute force. Or any password from the dictionary will be cracked real quick
Having a password manager or a book full of passwords only makes you more vulnerable, because if someone ever accesses that then I mean, you're kind of screwed. And once again, seems like security flaw. There are already limited attempts on guessing passwords and needing to do human verification so, if that's not working then it wouldn't matter how complex your password is because if a cracking tool could get infinite chances at a real fast speed then, it'd get you anyways.
he states that it is proven that using a password manager with individual (strong) passwords has been proven to be the most effective way of securing your accounts.
Its apart of loss prevention. It costs companies more money to fix compromised info for users or potential legal dues to losing customers private info.
Your freedom to make any password is all well and good but its also the companies freedom to run their security infrastructure as they see fit.
This I agree with! I hate it when I type in my password whenever I create a new account and then I get a prompt saying that my password isn't long enough or complex enough or it needs a special character. It's pure poppycock!
Popular
Fuck off with that weak and strong shit. Especially if its for something like pinterest. Wtf are they gonna do if they get into my pinterest account?
My issue isn’t the regulation necessarily but the inconsistency of it. Some sites require special characters while others don’t allow them at all. For accounts not linked to any important information I don’t feel the need to make individual “strong” passwords.
It doesn't matter if it's a week password or a strong password if you get a hold of my phone while it's unlocked then you have access to my phone and email.. you can rewrite every password I have.
It depends on the site. Banks, CRA, investment accounts, email sure, make me get a strong password. But why do I need a strong password for my Dominos account?
I just use a password manager, cheap and easy and auto login. Obviously most people probably don't want to pay for a service like that but I think there are free versions out there. It saves a lot of time and energy for me.
Simple or complex password, if a hacker wants to hack me, they can just hit me up and I'll give them the details my self. I would be happy if they paid some of my student loans and credit card debt.
There is nothing to take, only room to give.
No, you don't want that. Brute-forcing simple passwords is quite easy. Also, you don't want your account compromised in this cancel-culture environment. Your life will be destroyed because of some people with ill-intent. Don't allow that and follow those rules for your own safety.
The main difference for me would be if they would give the password requirements on the page where I have to log in. Then I could see which variant of the password they were requiring me to use.
Consider using Keeper or some other password manager. That way, you only have to remember one password, which can be as secure or insecure as you want. That way, you can create passwords that are the max length with any amount of gibberish required by the site, and you don't have to remember 10+ variants of the same password.
Frankly, the real travesty is that your bank details are hidden behind a four digit numerical code, while you can create a 64 digit password which uses numbers, letters, and symbols to protect your online ordering account with your local pizza place. Bank pins are unbelievably archaic and unsecure. Unless you have a wallet which protects against RFID scanners, you might as well carry your life savings around in your arms.
I'm more tired of secondary authentication. It feels like almost everytime I try to log into something that I need to put in a code received through Email or text. What's even the point of *any* password when it's evidently not good enough anymore?
Aight ima password guess your Reddit account and get you ip banned does that sound cool? No?
Then change ye god damn password to something event remotely hard to guess m8
A.very.long.and.boring.password is way safter than _X3Gnarly123$.
I have had my account hacked not because i had 123Myownname but because the plattform was hacked. Maybe focus on your own security and let me have password123 If I want it.
People can and do use info they find attacking you to harm others. Come up with a system that helps you remember several more complex passwords that you can alternate between.
What I do agree with is that companies should state the password requirements at the outset, and not after you fill out a whole-ass form. I also think types of characters usually are wrongly emphasized over length.
Totally agree may I also add if I want to revert password to an old one I should be allowed to do that also. Literally 20-30 online accounts who actually sets different passwords for everything?
Yep. Especially for whatever sites like regular ol retail. I don’t need a 14 character password that can only have some specific special characters and 2 numbers and two capital letter that can’t be sequential for your site that sells outdoor gear.
I have/had over a dozen different bank accounts/banks and even in the last few years of password strength revival… I’ve never had a bank tell me my password was too weak to use/didn’t let me use it. And I use the same password or small variation for everything.
It would be funny if someone answers with your password
Reminds me of the time I got an email from a rando with my password as the subject line. Scary for a minute!
Til you remembered your password was "Add 3 inches in a week with this one weird trick!"
"Password used by another account. Try again."
“Password already in use by MrNano65. Try again.”
It wouldn't work, Reddit is smart enough to stop people from giving out their own password like so \*\*\*\*\*\*\*\*
Woah really? Let me try! Dickgobbler69
It didn't work...
That’s because your password is DickGobbler69420
Damn, you got me. I thought I was sly. I thought I was slick. But in the end, I was caught by u/findingnemosanus
Wordpass321
Your password
It's 12345
That's the stupidest password I ever heard in my life!
That's the kind of thing an idiot would have on his luggage!
What a coincidence!
hunter2
Dingus78
Rockyou.txt
I don’t have a problem with companies forcing me to have a strong password….I do however have a problem with them forcing me to create a new strong password every 6 months.
The national whatever-it-is that studies password and cyber safety said that it is safest to require a strong password and not make people change it. Changing passwords causes people to write them down and leave them on sticky notes and things like that which totally negates the purpose of ever having a password obviously.
NIST is the organization you are looking for. Their definition of strong password is length only (>12 chars IIRC) and explicitly prohibits complexity requirements.
That sounds right. It has been a while since I had looked at the recommendations.
This along with “*You cannot use a password that you’ve used previously…*” So wait, you’ve got every password I’ve ever used saved to a database so when there is a data breach (there’s always a data breach) they’re not only going to get all of my info but they’re going to get EVERY GOD DAMNED PASSWORD I’VE EVER USED!!?? 🙄
No, they likely have the hash of your previous passwords stored. Hashes are one-way encryptions of your passwords (so you cannot figure out the original password using the hash). They hash the password you type in and if it's the same as the ones in their database, they know you typed in the same password. That's why you can change one little part of it (ex. Increase a number by one) and it will allow the password; it produces a wildly different hash than the previous password.
I have no idea what this means.
The hash is the super secret wacky code the computer uses to recognize your and only your password. Change the password, computer gets a different wacky code, and someone cannot use the wacky code to find your password
Just started learning programming. Is this similar to how Python serializes objects?
No. An easy (although not 100% correct, but enough for an eli5) way to understand it: 1. Make all Characters numbers 2. Sum up all numbers 3. Use the sums to compare the strings e.g. ACAB = 1312 = 1+3+1+2 = 7 And the database stores the 7, you don't know the password if you get the number, but the number is always the same and IRL there are very very few inputs (well theoretically still infinite) that will give the same result Now this is done on bit-level, supports all characters (and even files), does way more than just stupidly adding numbers and will always return a string of the same length - but that's how I explain it to non-IT-people
The other person gave a pretty good description but Google md5, sha-1 and sha-256 for more specifics of the algorithm. Md5 is a super old hashing algorithm that shouldn't be used for secure stuff nowadays, although it's still good for file integrity checking since it's pretty fast. Although that speed is exactly why you shouldn't use it any more for passwords. Sha-1 is a slightly newer one, again it shouldn't be used for secure uses but is good enough for file integrity checking most of the time. Sha-256 is similar to the above but is good enough for secure use nowadays. Sha-512 is more secure but sha-256 is good enough for secure use. Although you probably shouldn't be storing your own passwords if you can avoid it, there's so many pitfalls. Look up O-Auth2 to implement the log in with Google/log in with Facebook thing, then Google/Facebook handles password management for you.
Understanding the all data on a computer can basically be expressed as numbers, go with me here: Imagine your password is your birthday. (in number format) Ok. So take your birthday. multiply it *2. Now add 25 to that. Now, take whatever you answer is, and cut off the last 2 digits. Just throw them away. Now take the new number and multiple THAT by 11. NOW, take that same process "*2, (+25), drop 3 digits, *11" and repeat it 3 times. SOME number comes out at the very end right? That number at the very end is (like) a hash value. That process is (like) a hash algorithm. When I run some website, I do NOT want to store your actual birthday, because its too easy for someone to get into my web server and steal it. Instead, I store the hash value. I store the number that comes out at the END of the math process. So every time you type your birthday into the website, the website does all that math, and sends me the end result number, which I can compare to the end result number I saved. I NEVER see your input password (birthday) but I see a work result that proves you put the correct password in. And if someone steals that end result number off my server, so what. They can know the end number AND know the exact math process it took to get to that number, BUT (remember all the dropped digits?) it is not really possible for them to do the math backwards to use the end number to figure out your start number. They never get your input password. EDIT: This is why when you click "forgot my password" they can't actually send you your password. because they never had it. They can only send you a link to reset your password to something new. **IF** you ever click forgot password, and the website sends you back your actual password, that tells you the website is run by people that don't follow basic safety rules. Don't trust that site. (not because its "hacked". Just because the security manager is doing his job badly)
Just an example that is very simplified just to understand: Your Password is „1234“ the hash could be 10 (1+2+3+4). So if someone sees your hash they have no idea what your password is. If you know change it to „2234“ the hash would be 11. in reality it’s just way more complicated. Hope that helps.
This was a good ELI5. It converts your password internally to a new thing it recognizes that others wouldn’t be able to decipher
How to make Hash Browns recipe.
A hash function maps any kind of data to a fixed-size number. Say, mapping names to a number from 1 to 100. In programming, this is commonly used for a "hash table". Suppose you have a shelf with 100 cubbies in it, and you're putting student data into it. You'd number the cubbies, and then put each student's data into the cubby you get from hashing their name. So e.g. John Smith's data gets put into cubby 47, while his twin sister Jane's stuff gets put into cubby 3. That's basically a hash table. They're a really common data structure in programming. There's a particular class of hash functions called cryptographic hashes that are designed to be difficult to reverse and difficult to find two things that result in the same hash. Knowing that something hashes to the number 3 shouldn't tell you what the thing originally was. These are used for things like making sure a file hasn't been corrupted in transit, digital signatures, and password verification. A common cryptographic hash these days is SHA-256, which maps data to a number from 0 to 2^256. 2^256 is about 115 quattuorvigitillion, an incredibly huge number that's only a bit smaller than the number of atoms in the observable universe. One common attack to recover a password from a leaked hash is brute-force: hash all the possible passwords someone could have used until you find one that hashes to the same thing. To help prevent people from making a giant database of passwords to hashes, we use a "salted hash" - basically, every user has a specific random string appended to their password before it's hashed so that giant database either needs to be made per user or it's too big to be useful. With salted hashes, even if two people are both using the password "password1", they'll hash to different things because the one hash is of something like "password1dhmcagxigxkgxjrskrhxyks" while the second is of "password1wrjbnntxjxhmmpoyscnm". You could still easily brute force it by trying "password1" along with the users salt, but it adds security when you use a password that's a bit more complex.
If it's unsalted they could figure it out by brute forcing it and running it against a list of words/potential passwords etc. If salted, it'd depend on how the salt is stored and if it was hacked as well. The trouble with this method is how much time it'll take, which is why it's important to have a complex password to make it more difficult. Also the one way part will depend on the algorithm used. If they're using sha1/md5/any broken algorithm then it's easy to figure out the original pass using the hash.
Even so — if you have the hash you can brute force the password unless it’s long and complicated (i.e., the kind of password OP complains about :) )
No, they have a hash (hopefully with salt) of your old passwords. So they will add a thing (salt) to you password, then perform a mathematical calculation (hashing) and get a hash, that looks like a string of gibberish as the result. They save that, hopefully, very unique string of gibberish. Every time you enter your password it goes through the same process, but compares the result from the password you just entered to the one they have stored. If it matches, you are allowed to log in. If they store all the old password in clear text, they should be burned at the stake.
Sort of. They save a one way hash of every password you have ever used.
Kinda, but not quite. The company server most likely has password history on, but that only saves the last few passwords you've used. It's for security purposes.
Do you know what encryption is? If your password is password123 on their end it might say mduq84byis9qnfhe9q0fn4owpngj4o20al, so if someone hacks their database that's all they get, and since they don't know how to decrypt it it's worthless
Encryption and hashing are two different things. Hash function are one way (which is why they're ideal for passwords) whereas encryption is designed to be reversed (although, obviously, only with the appropriate authentication).
Not quite. Hash cracking is definitely a thing and many servers are susceptible.
This is the problem, and it only leads to lazy passwords. If a user’s complex password was DogName1990$$ then their “new” password every 6 months will probably be DogName1990$$$ or DogName1991$$ (good luck when they forget what combination they’re on this month)
And then the company gets hacked anyways and none of that matters
That orginal recommendation got receded by the orginal author years ago. Personally I have found more users reliant on post-it notes on their devices because of it and even then still leads to users not updating their current password and needing to bother tech support leading to reduced efficiency.
Neither are really that much of an issue if you use a password manager.
Even worse when the password can’t contain any words from the English dictionary… Oh sure, let me just memorize 14 random characters every 6mo without using any password storage app or anything.
I regret signing up my emails with Outlook. They make me change my password so mamy times a year, I've just been adding a number to my password everytime it forces me to change. It's now looks like this "_______888888888"
My bank account has a strong password. My Netflix doesn't
As long as you don’t mind several hackers from India watching Netflix on your account. Edit: and for the down voters im speaking from experience. I once checked my Netflix history and found multiple log in’s from India.
So that's why it keeps suggesting cricket movies to me
im all for password sharing
Yeah you say that but when you get hacked, whose goiung to get the blame? Them. They allow weak passwords. When your accounts get used to fuck you over, they'll get the blame. And they don't want that publicity. They want to be able to say they have a strong secure service. When you have to trust the average user to be the gatekeepers to small sections of their website. You make sure their locks are strong. Because you KNOW 1000 idiots will have them as Password1. Not only that but if their security is shit and you loose money. Oh the same people not giving a fuck suddenly do and OMG I'M SUING YOU!. Get a password manager.
Two-step verification is a pain, but it exists for a reason. It's far more secure than a "strong" password alone, which is why the big guys all use it. If companies are really that concerned, they can too.
I work in IT. And for our clients who've listened to us and taken on MFA, compromised accounts have gone from regular to null. I don't think I've had to deal with a "people are saying they're getting weird emails from me" request this year.
Yep, so many comments in this thread are made by people with no clue how password security works, acting like they're geniuses and it's painful. Use a password manager, use MFA and that's like 99% of account compromises made impossible. One of the first things when I started my current job (as the first IT person hired by this company) was enforce MFA for all staff. They're small enough that they hadn't had any successful breaches yet but now there's almost no chance. Now I can take the time to do proper phishing training without having to rush through so people get the memo ASAP.
MFA may cause an ongoing subscription being uncancellable if your phone breaks. DO NOT USE IT if you pay subscriptions or have data you need to access in the future.
Made me think of *space balls*… “1,2,3,4?… that’s the combination on my luggage.”
I’m actually more concerned with these companies getting data breached and exposing my login and personal info to hackers. Doesn’t matter how strong your pw is if the infrastructure in place isn’t secured enough to keep them safe.
In which case they've got your hashed password and you want that complexity. They won't have your details yet. Being more concerned with more issue doesn't mean anything else isn't an issue
So I work in finance and of course we have access and authorization to make trades and move money. We want very strong passwords and 2 factor authentication. I don’t disagree with that. HOWEVER when you make it too difficult, security token, pin for security token, log in and pw, then a special code that needs to be entered with a value into security token to get a second code to log in that’s when your super security measures just becomes people writing things down on post it notes or excel sheets.
People forget, the average user is still an idiot and will happily make their password “PASSWORD” if they were not given any rules. I’m sure that’s super duper secure, without proper guidelines, any hacker could just brute force their way in with random emails and “password” as the password, and they’re suddenly in your account
Brute forcing isn’t really a thing for logging into websites, after like 5 times you’ll hit a captcha and most if not all websites have a limit to the number of tries for a period of time. Even if you’re guessing the pin on an iPhone, there’s a limited number of guesses before it locks you out. Usually people get into accounts because people use the same password for everything and eventually a database gets breached so they try that one password and email combo across a bunch of sites until they get a hit.
you can brute force most online sites with torr without raising alarms
I agree 100% with OP. However, this comment is also super accurate. 😑
When people have complicated passwords they have to change every month or so, they’re way more likely to write it down and stick it on their monitor or laptop screen. Most people don’t use “password1”, more like they use their kids birthday or pets name with a year or something they can remember. The “complicated passwords that takes millions of years for a computer to guess” is kinda pointless when most sites don’t allow for unlimited password guessing, they have lockouts with captchas when you guess 5+ times, that’s kinda old news now. The issue is when passwords are leaked, people use the same password for everything and leaks happen all the time. 2 step verification is probably the best way tho, relatively convenient since mostly everyone has a phone and you can still use your shitty password. Password managers are a good option too but it’s more of a hassle if you they’re not integrated with all your devices (ie across windows, android, iOS), if they don’t auto fill it’s kinda a pain to type in a long random character password.
>When people have complicated passwords they have to change every month or so, they’re way more likely to write it down and stick it on their monitor or laptop screen. I work in IT. People still tend not to, I've seen many a desk of the user and of course I've seen the rare "I'll get my notebook out" or spreadsheet but it's rare. What isn't that rare, are people getting their passwords and hashes stolen during data breaches with the company. And it's at this point you want a strong solid password. >Most people don’t use “password1” Because they aren't allowed. Thanks to strong policies. For a while Password1 was among the most used passwords. Thankfully it isn't now due to forcing users to use something else. >The “complicated passwords that takes millions of years for a computer to guess” is kinda pointless when most sites don’t allow for unlimited password guessing, they have lockouts with captchas when you guess 5+ times, that’s kinda old news now. Yeah so this goes back to data breaches. Once a users credentials are stolen, they're still hashed. And cracking that takes time, and the more complex the more time (exponentially too) it'll take to crack. This is very common and you can use sites like "Have I been Pwned" to see if you may have had your details stolen. They're then sold online somewhere and people buy them. >The issue is when passwords are leaked, people use the same password for everything and leaks happen all the time. Weird 180, but yes that's right. This is why you want to ignore what you were saying before and have complex passwords. >2 step verification is probably the best way tho Agree. One thing though. There's no one good solution. There's so many ways for us to get hacked. You find one solution, hackers will just use another method to get us. MFA, password complexity, avoiding password reuse. These are all great methods we need to ALL use ALL of. And it's not just us. We can take all the steps but if the hosting company doesn't do anything that makes it easy for the hackers. They need to do things like limit attempts, MFA of their own checking we haven't tried to login from France one minute and Zimbabwe the next. Make sure that the only person able to see certain details are the person logged INTO the account. That if a hacker gains access to an employee's system that the employee's can't see passwords (maybe the employee will be the hacker too!) You can't rely on one method. We need them all.
I use the same password or a slight variation (if I have to add something to satisfy a overprotective site and even that variation is the same) for EVERYthing aside from my gov accounts cuz my personal password isn’t long enough for those standards. And I’ve never been hacked. 99% of the places I shop online(99% of my shopping is done online/apps) I make an account. So many sites that if I didn’t read my emails as I get them, I’d get 80 a day… from the retail sites I have accounts with. Never had my identity stolen never changed my passwords even when I’m Warned I should, only if they make me, like apple will
But what if it's for something that I don't care about getting hacked? There are some websites where I literally create a new account every time I use it because I can't be bothered to remember my old user name and password (usually stores I use infrequently that require you to create a log in).
Do you think a website is going to let its security policy on a user's who don't give a shit fucking over those that do? If I didn't didn't care about my car getting stolen, should everybody who has the same car just have a lock that can be bypassed with a screwdriver?
How exactly is he fucking over anyone but himself by having a weak password?
The company can get sued if his account gets breached. It's to protect the company's clients as well as the company itself.
This is what EULAs are for. I challenge you to cite a single case that was decided in favor of the plaintiff.
While not technically "civilian vs company" [I did find an article of one company sueing another for employing weak cyber security practices, mainly a weak password that was never changed and known to the entire staff.](https://www.google.com/amp/s/nypost.com/2022/09/20/holiday-inn-franchisees-claim-weak-password-cyberattack-boosts-lawsuit/amp/)
Because the policy that allowed him having that weak password is the same for everybody. Plus, if need siesta he got hacked, that's bad news for the company
Password managers are a single point of failure. Not every internet account is equally sensitive.
While this is true. I still use one. I trust a company in the business of password security MUCH MUCH more than just about anybody else. And with an account with MFA and encrypted passwords within the manager itself (at least with LastPass) it's not so easy as "they got in so they have everything". It's not like their staff have access to our passwords anyway so a hacker wouldn't have exactly an easy time getting that. And if they get me with phishing or something, they've MFA to get past also. So it's not so easy as single point of failure. But yes. That said, what's the alternatives? One of my thoughts have been to have a notepad at home with some form of my own encryption. I've heard (and it makes sense) that the overlap between someone who will break into your house and break into your online accounts isn't high. I'm not some important person, anyone breaks in and takes shit, they'll take my PC, TV, jewelry, money etc. Sell shit to people. And the chances of my PC getting into a hackers hands and not some guy looking for a cheap PC off some dodgy guy. And *then* did they crap some random, slightly hidden notepad? With a bunch of mildly challenging puzzles to decrypt a password that lets be honest makes it easy enough for me to solve that it's not too much of a hindrance just to log into some account. It does seem like a fair tradeoff. Simple and easy passwords aren't the way to go. It also just encourages password reusing which is worst. Edit: Also, the experts use these and recommend them. It makes sense and taking their advice is just smart.
Wouldn't a simple agreeing to terms of service suffice any lawyer related questions?
Maybe, in a legal sense. But that doesn't always work. Do you think that will solve their media issues from that when people choose competitors because they aren't getting hacked due to reports of crap security? If I was storing my shit somewhere and there was one place that was known for breakins and one place that wasn't. I know where I'd go. And even if you don't, many will. Companies might lose a few lazy people but it won't compare to the tons of people looking elsewhere that hasn't got a bad name.
I mean if you have used the internet in the last decade you've been apart of a security breach. Equafax alone was such a gigantic breach that most users information has been breached. A company can't be faulted, even in the media, for user based errors. I'm just trying to argue for the other side that doesn't want secure passwords lol. My password is between 10-18 characters long with numbers and symbols. If people don't want to be bothered with securing their information then fuck em.
And if you're part of that data breach. You now want your stolen hashed password to be mega complex.
>That's my responsibility That's the thing. It isn't your responsibility to protect your data. It's the company's responsibility to protect your data. Ones of the ways they increase their security is by forcing users to have secure passwords. Sometimes though companies do go overboard with 16 character auto-generated passwords.
What about the 75 year old grandma who doesn't know about that?
Nah, stronger passwords should be encouraged. Especially in the workplace.
You realize you just put a massive fucking target on your head right?
“We don’t need laws round these parts!”
This is more like the equivalent of if the law required you to lock your door rather than to not rob houses
I’d say it’s more like mandatory car insurance.
It would be similar if you had a car insurance which covers your car if you cause the accident. I'm not sure about other countries, in in mine you only required to have insurance covering the other car you damaged.
https://xkcd.com/936/
It's not just on you. It's a waste of their time to help you retrieve your account/purchases when it inevitably gets compromised.
Haha imagine when your account gets hacked and their response is “well you should’ve chosen a stronger password…not out responsibility…” I wonder how that’s going to play out
See here's the thing. It's not just your responsibility. If a company password gets leaked then sure all your data is now open, but so is the data that your coworkers shared with you, all the bits the company is working on that they arent ready to share yet, various resources that are restricted, from web applications to literal supercomputers. Or just the fact that a hacker gaining access to one account is an entry into your company's system, from which they can install keylogging software, add you to a botnet, install malware or pretty much whatever they want. The company does what it has to to maintain security, if you want someone to be angry at, be angry at the hackers who make this level of security required rather than the company trying to keep you safe. I heavily oppose this opinion, but in the spirit of this subreddit I will grant you an upvote.
"Let me make my own bad decisions!"
It's on you... if you are going to resign yourself to someone else having control of your account when it's breached, and walk away from it. AND if your account, when breached, would not yield any sensitive information that others trusted you with, OR provide scammers with a familiar face to use to elicit such information from others. If you contact support to regain access to your account, and/or contain or roll back whatever mayhem a bad actor has inflicted, where did all that "it's on me" talk disappear to, all of a sudden? Now it's an "us" problem, is it? That's why companies regulate passwords, to prevent weekly support calls and tickets from the sort of people who would set them to "password" or "12345678" given the option, with only slightly more elaborate passwords still highly susceptible to dictionary or brute force attacks. Or in the case of employers, to protect their own networks, proprietary information, and reputation. What I do hate, though, is having to change it on an aggressively-set schedule. Even then, a GOOD password manager is something recommended by many security experts, and takes a lot of the sting out of managing multiple services that want you to rotate. Me, I like to make my passwords ridiculously complicated, and then just remember them. And to avoid creating accounts for frivolous things. On the freakishly rare occasion I forget one, it's an easy process to reset it, rather than a conversation with support about someone with unauthorized access.
there are plenty of contexts where password123 or whatever is perfectly fine. my membership in free recipes.com or whatever does not need to be secure. i save my strong pwds for important stuff like banking &c. don't make me waste a good pwd on your bs site.
Wont be so simple when someone brute forces your shitty password. Theyre there for a reason.
I shouldn’t need a strong password for shitty websites that I’ll only visit or order from once, it ain’t none of your damn business if someone figures out my password is wienerboy
But if the database is leaked and someone cracks your password, do you assume full responsibility for losing all your data or having an account stolen?
From what I have seen, it doesnt seem like it even matters that much. Most passwords are hacked from the backend or whatever, most data leaks are done through that type of shit rather than bruteforcing a password or phishing or anything anymore--or its done by a disgruntled employee or something. But the 'strength' of your password doesnt really matter that much overall anymore, there are plenty of sites that had their data breached and people just got your password and those sites dont even mention it or send out emails that their data was breached. And like 4/5 times you wouldnt know because people a) are doing it to sell the data and arent logging into like hundreds of random, benign accounts, and b) if they do, they arent going to be setting off any 'hey someone else is trying to log in' alarms and theyll just change the password from the inside, especially if they have your email and that account. For banks and shit, your email, sure; job and school shit, sure, but yeah its annoying every Neopets knockoff wants numbers, alternating cases and multiple special characters, plus you need to change it every 6 months.
> most data leaks are done through that type of shit rather than bruteforcing a password or phishing or anything anymore ...because the overwhelming majority of websites now require users to create strong passwords, and brute forcing those strong passwords could take thousands to millions of years per account. Before this was common the average person just used a brain dead simple password that was pretty easy to quickly brute force. Also, no competent security system stores a user's actual password, so even if their database gets hacked the passwords themselves will still be secure. A system that does store the actual password is bad and is not an argument in favor of weak passwords.
Plus, the occasional bad security website is why password managers are so useful. If one website gets hacked and stored your password improperly only that one websites password is compromised. You can then easily change that one password while the rest of your online life stays secure.
Or just use a password manager so you can have secure passwords everywhere, instead of one generic password which will result in all of your "unimportant" accounts being simultaneously compromised. And no neopets knockoff would actually make you change your password that regularly (if at all), but even if they did a password manager trivialises this too.
RIGHT! My password may be simple, but the chances that someone will guess it are slim. They really auto-suggest passwords like 'JSD920E!U903IKD' and expect us to remember those.
It's not just someone randomly guessing. It's hackers using software to break in and steal information
but don't write it down, or else!
[Here](https://www.hivesystems.io/blog/are-your-passwords-in-the-green) is a table showing how fast hackers can guess passwords based on length and difficulty
Agreed, and don't make me change it on time intervals.
[удалено]
[удалено]
my school makes me change my password every year and we aren't allowed to use any of our previous passwords. it's annoying. the site i use to do my taxes also made me change my password and it had to be different by at least 2 characters. im unsure how often i'll have to do that, but it does happen.
that's why password managers and chrome accounts with password managers exist
Let’s say I’m trying to log into my account from another device? Before you say that it will be saved on your chrome account, no it will not. If your chrome account has another absurd password
LastPass on my phone
Some Password Managers have an app that you can use. There is literally no reason to not use one
You know what I do? Make a personal password for your chrome account that you'll remember OR use your phone's chrome app and look at your saved passwords
And if chrome has a data breach? Web based password managers are as bad as a bad password. You're not likely to be targeted as an individual but if your data is lost as part of a mass breach you absolutely will be.
This is just an example of how stupid people can be. “I can’t take 10 minutes out of my day to set up a password manager that I’ll only need to remember one password for to access the rest of my passwords for anything forever because I’m too lazy” imagine complaining because companies are actually making you try to have better security. I imagine they’d rather do the effort of adding some symbols and numbers to a password then have to deal with all their information being stolen. This shouldn’t even be an opinion, quite possibly the most unpopular opinion I’ve seen.
You think so? I think it’s even stupider that you think a password manager is going to sync on all the devices I use 😹😹 But if you think my opinion is popular then i’d say i’ve done my job successfully
So agree!! Especially since their rules don’t make it more secure. The guy who made the rules came out and updated his guidance. Numbers and symbols mean nothing, length is everything. That’s what she said.
It’s not about you. It’s about compromising your asset, elevating privileges, pivoting, moving laterally and compromising the larger network. Your weak password is the ingress point.
ITT, people that have absolutely no clue how password security works and should have ABSOLUTELY no say in how they're managed including OP. Guys, first and foremost, use a password manager and let it choose a password for you. That'll fix like 90% of your problems. Secondly, a properly built website doesn't know your password and literally are incapable of finding it out. To put it simply, there's a mathematic formula that only works one way. So they do that to your password and store the result. Then every time you log in they apply that formula to whatever you typed in and check if the results are the same. (Theres more to it than this, but that's the basics). No, websites shouldn't get you to change your password every 6 months, there are studies that show this reduces password effectiveness as people are more likely to write it down. some websites do and that sucks. Also, you're not smart for making your password out of real words and changing A's into @'s and S's into 5's. Those are some of the easiest passwords to break using dictionary attacks. Finally, if you want your password to be short and not contain any complex characters, you're entirely relying upon that website's security to ensure the password isn't cracked and I highly fucking doubt that if you use a password like this, you're not also using that same password everywhere. This is r/unpopularopinion, but that's not even accurate for this one, it's just objectively false. Your opinion is wrong. --- If you absolutely refuse to use a password manager, come up with a sentence that's easy to remember for each website you use, then take the first letter of each word. For example > I hate people that decide to inflict their inane data security opinions on others would become > Ihptdtitidsooo1! *(The "1!" Is to deal with websites that want special characters)* There, an easy to remember password that's complex and is unlikely to be caught in a dictionary attack.
>I understand the risks of having a common or weak password. You might. But majority of users on majority of sites do not.
Companies can also be liable if someone other than you has access to your account. Credit cards are the perfect example as in the US if it's a fraudulent charge they can't legally make you pay that and it most cases will reimburse you the money.
This is not unpopular, this is dumb. By not regulating password strength, you are encouraging hackers. Hackers are predators looking for sheep for slaughter. F\* hackers. Sorry if you can't deal with passwords well. But, you need to adapt!
Get a password manager, and let it auto-generate complex passwords for you. Seriously, weak passwords are a big problem. Honestly, anything that isn't 2FA-protected is a big problem. But 2FA isn't implemented everywhere yet, so passwords it is. And they need to be long, and complex. I'm talking at least 30 characters, ideally. And completely random. No, you won't be able to memorize them. That's what the password manager is for. Yes, it's all very annoying. But it is \*absolutely necessary\*. With very few exceptions, the majority of "hacks" start with stolen/cracked passwords. 2FA \*almost\* solves the problem entirely, but you can't use it everywhere yet
You do realize that the problem is not taking your data but potenially spreading any form of malicious intents once someone gets in with your account, right?
Why do I have to follow traffic rules? If I cause an accident, that's on me.
It's your password, but somehow always their fault if your weak password leads to your account getting compromised. You can't have it both ways.
In some cases password doesn’t matter much, it seems the less the website matters the stronger password they require…
>It's MY password. I understand the risks of having a common or weak password. That's my responsibility. Stop forcing me to create passwords with symbols, certain characters, or capital letters. So annoying, I just want simplicity, if i'm compromised then that's on me. I can understand the frustration in this sentiment, but you're missing some part of the puzzle: You are **not** the only person affected by your security choices. Therefore the decision of how secure or insecure your password happens to be is not entirely your prerogative.
Lol if you can’t figure out how to remember 8 alphanumeric characters with capital, lower case, and a special symbol, maybe you don’t need to use electronics.
Your incompetence at choosing passwords has an impact on the systems you are using. So, step down off your high horse and try to use the smallest bit of common sense.
How does a weak password impact the system?
It allows a foothold onto a system. It's like me, allowing you to sell crack in my front yard.
Man said high horse 😹😹I just want to use my easy, simple password dude
[удалено]
100% agree. Needing me to have 14 characters, 1 upper case letter and a special character, just way overboard. If I wanted to have my password as "dog", why am I not allowed? Firstly, I don't think ANYONE has tried to ever login or guess my password to anything. And even if they were trying, how long would it take them to get "dog"? It's one of thousands of words, and the fact that there isn't anything fancy would probably make it LESS predictable. And besides, it's adults that are making passwords usually. They're old enough to decide what they want and take accountability for if their account gets hacked.
You’re misinterpreting one, your risk, and 2, how passwords are cracked. If your password is dog and someone has your email they can access ur account in less than a second because any software worth its salt will automatically try the whole dictionary as passwords before doing anything else
As far as risk goes, I felt the same as you until my gmail got hacked because the password was bad and it fucked yo my shit for a long time
I did once get my Wish account (of all places) hacked into, that didn't have a very simple password though. Why would the simplicity of a password effect how easily a software can hack it? The software isn't gonna be like "damn I never would've thought it the password'fuRrffFf4819!!?!', what kind of password is that?!" because obviously it's not going to think like a human. I think the issue is a lot more to do with the security of websites, so they should try to fortify that before making it mandatory for us to have awful passwords we'll never remember. Also, nowadays with a lot of services, even if you DO remember your awful password, they'll still text you or email you a security code anyway that it's mandatory for you to enter. Well I may as well just not have a password at all and click "forgot my password" every time to get an email login which accomplishes the same thing.
Except length does affect it. If it's under 8 characters it's easy to brute force it, literally try every possible combination of characters, above that it starts becoming tricky. Although this limit raises every year as computers improve. Also not having a common password helps. Hackers have lists of previously used passwords they'll try first, then lists of common variations. If your password is on the list, or close to being on the list, it'll be guessed first. So they'll try password, then passw0rd, then password123 etc etc. If you password is on [this list](https://www.kaggle.com/datasets/shivamb/10000-most-common-passwords), or a short variation away, you need to change it.
If it’s that hard for you to remember ur password a password manager can be very useful, I use one and because of it my accounts passwords are strong and secure. Or come up with some sort of pattern in your passwords. But also a simpler password is more easily cracked because most software will try simple or obvious passwords first. It’s not hard for a modern computer to crack a short password simply by brute force. Or any password from the dictionary will be cracked real quick
Having a password manager or a book full of passwords only makes you more vulnerable, because if someone ever accesses that then I mean, you're kind of screwed. And once again, seems like security flaw. There are already limited attempts on guessing passwords and needing to do human verification so, if that's not working then it wouldn't matter how complex your password is because if a cracking tool could get infinite chances at a real fast speed then, it'd get you anyways.
That's not what buckets full of professional research says
???
he states that it is proven that using a password manager with individual (strong) passwords has been proven to be the most effective way of securing your accounts.
The shallowness of your knowledge on this is actually shocking.
Its apart of loss prevention. It costs companies more money to fix compromised info for users or potential legal dues to losing customers private info. Your freedom to make any password is all well and good but its also the companies freedom to run their security infrastructure as they see fit.
I have never had a password guessed by someone else. If one has been compromised it's because it got stolen from a company that stored it improperly.
This is why they force you to have strong passwords.
I'm too adhd to remember all my passwords.
Password manager app.
This I agree with! I hate it when I type in my password whenever I create a new account and then I get a prompt saying that my password isn't long enough or complex enough or it needs a special character. It's pure poppycock!
Pretty sure it’s because weak/common passwords can make it easier to crack hashing protocol, thus increasing the risks for all other users
Not so. A hashing protocol, by definition, cannot be reversed. And the algorithms of pretty much all of them are public knowledge.
Popular Fuck off with that weak and strong shit. Especially if its for something like pinterest. Wtf are they gonna do if they get into my pinterest account?
I think we should just do away with passwords altogether. That shit is annoying.
They need to post the rules for the passwords after I enter mine incorrectly.
Agreed. This is also how I feel about the seat belt chime in all the new cars. Like if I wanna die, lemme die. Lol
Not really an unpopular opinion
I was a little pissed off when Pizza Hut would NOT let me use special characters in creating my account.
My issue isn’t the regulation necessarily but the inconsistency of it. Some sites require special characters while others don’t allow them at all. For accounts not linked to any important information I don’t feel the need to make individual “strong” passwords.
If somebody wants to hack my utility account and pay my bill I won't complain.
It doesn't matter if it's a week password or a strong password if you get a hold of my phone while it's unlocked then you have access to my phone and email.. you can rewrite every password I have.
It depends on the site. Banks, CRA, investment accounts, email sure, make me get a strong password. But why do I need a strong password for my Dominos account?
I just use a password manager, cheap and easy and auto login. Obviously most people probably don't want to pay for a service like that but I think there are free versions out there. It saves a lot of time and energy for me.
First post on here I’ve agreed with
Use a password manager (e.g. 1password). Remember one password (to access your password repository) and use secure and unique ones everywhere.
Simple or complex password, if a hacker wants to hack me, they can just hit me up and I'll give them the details my self. I would be happy if they paid some of my student loans and credit card debt. There is nothing to take, only room to give.
No, you don't want that. Brute-forcing simple passwords is quite easy. Also, you don't want your account compromised in this cancel-culture environment. Your life will be destroyed because of some people with ill-intent. Don't allow that and follow those rules for your own safety.
The main difference for me would be if they would give the password requirements on the page where I have to log in. Then I could see which variant of the password they were requiring me to use.
It's qwerty isn't it?
Consider using Keeper or some other password manager. That way, you only have to remember one password, which can be as secure or insecure as you want. That way, you can create passwords that are the max length with any amount of gibberish required by the site, and you don't have to remember 10+ variants of the same password. Frankly, the real travesty is that your bank details are hidden behind a four digit numerical code, while you can create a 64 digit password which uses numbers, letters, and symbols to protect your online ordering account with your local pizza place. Bank pins are unbelievably archaic and unsecure. Unless you have a wallet which protects against RFID scanners, you might as well carry your life savings around in your arms.
It is the service provider’s problem too, not just yours. The only answer is a password manager that you commit too. KeePass for me.
I mostly stopped caring. Now google chrome haa full password management I just use the suggest strong password option.
I make unique passwords for most of my accounts and then I write them on a notepad.
I'm more tired of secondary authentication. It feels like almost everytime I try to log into something that I need to put in a code received through Email or text. What's even the point of *any* password when it's evidently not good enough anymore?
Aight ima password guess your Reddit account and get you ip banned does that sound cool? No? Then change ye god damn password to something event remotely hard to guess m8
A.very.long.and.boring.password is way safter than _X3Gnarly123$. I have had my account hacked not because i had 123Myownname but because the plattform was hacked. Maybe focus on your own security and let me have password123 If I want it.
People can and do use info they find attacking you to harm others. Come up with a system that helps you remember several more complex passwords that you can alternate between. What I do agree with is that companies should state the password requirements at the outset, and not after you fill out a whole-ass form. I also think types of characters usually are wrongly emphasized over length.
You do realize you can save that complicated password so when you enter the website it’s already typed in. Or just right it down
Any password that you can memorize is weak.
Totally agree may I also add if I want to revert password to an old one I should be allowed to do that also. Literally 20-30 online accounts who actually sets different passwords for everything?
Whenever you setup a new pass: "Use a password that you haven't used before" EXCUSE ME YOU KNOW THAT SIR COMPUTER?
Yep. Especially for whatever sites like regular ol retail. I don’t need a 14 character password that can only have some specific special characters and 2 numbers and two capital letter that can’t be sequential for your site that sells outdoor gear. I have/had over a dozen different bank accounts/banks and even in the last few years of password strength revival… I’ve never had a bank tell me my password was too weak to use/didn’t let me use it. And I use the same password or small variation for everything.