• rog@lemmy.one
    5·
    1 year ago

    Best practice in 2023 is a simple, sufficiently long but memorable passphrase. Excessive requirements mean users just create weak passwords with patterns.
    [Capital letter]basic word(number){special character}

    Enforcing password changes doesnt help either. It just creates further patterns. The vast majority of compromised credentials are used immediately or within a short time frame anyway. Changing the password 2 months later isnt going to help and passwords like July2023!, which are common, are weak to begin with.

    A non expiring, long, easily remembered passphase like
    forgetting-spaghetti-toad-box
    Is much more secure than a short password with enforced complexity requirements.

    • kevincox@lemmy.ml
      7·
      1 year ago

      Drop “memorable”. 99.9% of your passwords should be managed by your password manager and don’t need to be memorized. On one or two passwords that you actually need to type (like your computer login) need to be memorable.

      • demonsword@lemmy.world
        3·
        1 year ago

        99.9% of your passwords should be managed by your password manager

        this looks like a sensible approach until you remember password managers can be cracked, too. I’m with GP on this, a passphrase is easier to remember and is good enough for most use cases, if you need more security you should be using some form or another of 2FA anyway

        • dan@upvote.auEnglish
          2·
          1 year ago

          I’ve got 1601 logins and 86 secure notes in my Bitwarden vault… no way I’m memorizing all of that lol

        • Gamma@programming.devEnglish
          1·
          1 year ago

          I have 350 items in my BW vault. I am not memorizing that many passwords, I’d rather use my brain for something else.

        • Scraft161@iusearchlinux.fyiEnglish
          1·
          1 year ago

          I’ve been using keepassxc for a while now and it’s better than most other options, everything is stored locally and encrypted behind a master password.

          All you micht want to do is make a backup of your vault onto an external drive (best practice would be encrypted via the options you have, I use luks because I’m a Linux nerd).

          • livendie@beehaw.orgEnglish
            1·
            1 year ago

            Agreed. Have my password database backed up over multiple places, GPG encrypted of-coarse, you can never be too safe.

    • geissi@feddit.deEnglish
      0·
      1 year ago

      forgetting-spaghetti-toad-box

      I don’t know much about PW security but would a passphrase of common words not be more susceptible to dictionary attacks?

      • CanadaPlus@lemmy.sdf.orgEnglish
        4·
        1 year ago

        The idea is that entropy is measured with possible words instead of possible characters. It turns out 7 7-bit ascii characters have less entropy than 4 14-bit equivalent words (that is, the 16,384 most common ones). And that’s in the ideal case it’s a totally random 7 characters.

        Every attack is technically a dictionary attack here, but it doesn’t help enough because the password to a computer is still 30 characters long. To a human it seems a lot easier than ")f1:.{yJCzNv]@R=S  K$~= ", though.

        PS. Turning /dev/random output into 7-bit ascii characters is surprisingly involved in Haskell. C would have been easier. This was the world’s slowest ninja edit.