These are the same companies that don’t support second factors, only have their app as a second factor, or only SMS second factor. Is it too much to ask for smart card or token (yubikey) support?

  • @[email protected]
    link
    fedilink
    English
    466 months ago

    I hate that stuff. Also websites that have lots of specific conditions for what a password contains. You’re just increasing the likelihood of me forgetting it.

    • @l_b_iOP
      link
      fedilink
      English
      166 months ago

      And if you don’t forget it, you’ll use a simple one that’s easy to guess or contains common substitutions, p@$$w0rd!. And then when you do forget it you’ll call support who will reset it, and they get so many calls it will make taking over another account easier.

    • @[email protected]
      link
      fedilink
      English
      156 months ago

      I started using a password manager for a lot of my passwords. Works pretty well, it’ll generate criteria matching passwords for me. Also functions as a list of websites I’ve created accounts with.

    • @[email protected]
      link
      fedilink
      English
      136 months ago

      Forgetting it?? All you have to do is scribble it on a little slip of paper in your top drawer like 90% of people do. Very secure.

      • @[email protected]
        link
        fedilink
        English
        36 months ago

        Top drawer ! I think you it’s still more secure than most of my colleagues. It’s usually a post it on the monitor.

        • @[email protected]
          link
          fedilink
          English
          16 months ago

          Post it on the monitor is for session password. For the 5 others, there is a txt file on the desktop!

      • @l_b_iOP
        link
        fedilink
        English
        36 months ago

        I don’t think I’ve gotten past finding the correct length video. Getting that to work with everything else and keeping what’s his face alive is just too much.

        • @[email protected]
          link
          fedilink
          English
          16 months ago

          You can use the manager on your phone to display the password you’re having a hard time remembering sonyou can manually type it in, while still keeping it stored securely instead of just a plain text note on your phone.

          You can also login to your password manager via web browser to copy/paste between it and login pages. Wouldn’t be my choice, but it’s an option. (not gonna enter my password vaults details on a work computer unless that vault only contains work logins.)

        • @[email protected]
          link
          fedilink
          English
          1
          edit-2
          6 months ago

          I didn’t either, so I self-host mine via vaultwarden. My passwords never leave my own systems (unless being used to login ofc), except for transit between my server and client devices. That is encrypted before storage or flight then wrapped in tls for https and again for a vpn connection (also self-hosted).

  • @[email protected]
    link
    fedilink
    English
    346 months ago

    My company set up two factor for office 365. The type of verification used is the outlook app where you tap on something to gain access. I must have been one of the first to be required to change my password on the stupid 90 day schedule. After changing my 365 account pw I was locked out because I had to log in to the Outlook app and use the outlook app for verification, which didn’t work due to the need to be logged in. You can’t make this shit up.

    • @l_b_iOP
      link
      fedilink
      English
      166 months ago

      Perfect security. Nobody can access.

    • deweydecibel
      link
      fedilink
      English
      4
      edit-2
      6 months ago

      That’s on your IT department.

      Well, it’s also on Microsoft for selling their “modern” security theater bullshit to every IT department in the country while not designing it in a sensible fashion or working with third parties to provide meaningful alternatives to the Microsoft branded shit every employee will soon be required to install on their personal devices…

      But that’s also on your IT department for not warning you or allowing you to keep the SMS/phone verification as a backup for these exact situations. Those aren’t depreciated yet, but some companies have let Microsoft’s recommend security practices (co-written by their sales team) scare them into downright idiocy.

      As someone in IT, here’s what you do: Next time that sort of thing happens, just reach out to them immediately and have them reset everything. They may get annoyed, but you know what? They shouldn’t be. It’s more secure to have an employee call in every single time they need to change a password or re-authenticate a device. It’s inconvenient, unnecessary, and downright annoying, wasting everyone’s valuable time, but hey…it’s more "secure’. If it’s more secure, you aren’t allowed to be against it.

  • @[email protected]
    link
    fedilink
    English
    116 months ago

    Every few months my company forces a password reset. We recently changed from four digit pins to full true passwords but they don’t actually explain that so now you have people with like 13 digit pins it’s insane. On top of that they also use two-factor Authentication simply to make things harder I believe.

    Finally if you want your work email on your phone it forces you to re login every single week and because of the way Outlook mobile works you need this special number from Outlook on your phone so to log into outlook on my phone I have to authenticate with Outlook on my phone

  • @[email protected]
    link
    fedilink
    English
    96 months ago

    Any Insurance company * (I say so because as an IT Administrator I’m forced to enable this to keep our cyber insurance policy, but I feel rather confident it’s unnecessary given the research and our migration to ldap tied fido).

    • @l_b_iOP
      link
      fedilink
      English
      46 months ago

      All I know is the mortgage servicing company I use seems to have started ~3 month interval, that they don’t say (no second factor available either). When I went to pay my internet bill, I get greeted with a message “you’re passwords been reset”. I’m stubborn and I was just using those sites to pay bills, so now I just don’t log in to those anymore.

      Insurance, and government need to catch up to the research. For sites that support them, I really like the Yubikey as a second factor.

      • @[email protected]
        link
        fedilink
        English
        26 months ago

        It won’t be too long now before everyone rolls out Passkey support, which will be nice. I fully embrace the death of the password.

        • deweydecibel
          link
          fedilink
          English
          16 months ago

          And the death of Firefox along with that. Oh boy what a great future.

          • @[email protected]
            link
            fedilink
            English
            26 months ago

            Not sure why that would kill Firefox. Mozilla has done great work supporting passkeys and while their implementation isn’t fully baked at the moment I have no reason to suspect they’ll leave it incomplete.

  • ares35
    link
    fedilink
    76 months ago

    we have one piece of remote software that requires 90-day resets, but half the time the process is bugged so we end up having to have a new password relayed to us in the clear… through email. third-party email. it’s only 100s of thousands of medical records on the other side of that login. no big.

    • @l_b_iOP
      link
      fedilink
      English
      36 months ago

      I don’t have any first hand experience, but anecdotes I hear, Medical and Banking have some of the worst password/security practices.

  • Chetzemoka
    link
    fedilink
    English
    66 months ago

    Both companies I work for use Okta for 2fa AND also force us to change our passwords every 90 days, resulting in us using weak, easy to remember passwords. It’s security theater.

  • @[email protected]
    link
    fedilink
    English
    66 months ago

    I’m glad that in my company they disabled the password rotation after having implemented 2FA

    • @l_b_iOP
      link
      fedilink
      English
      46 months ago

      Mine went to once a year for most systems. There is probably an external requirement somewhere that says they need to be changed periodically and once a year is the lowest frequency they can do.

    • @l_b_iOP
      link
      fedilink
      English
      76 months ago

      A password manager does nothing to stop Social engineering and human factors on the provider side.

        • @l_b_iOP
          link
          fedilink
          English
          06 months ago

          As an example, if you have an online account with some bank. That bank would be the provider.

          • @[email protected]
            link
            fedilink
            English
            16 months ago

            Well yes, me and the bank employees using a password manager does not stop social engeneering and human factors, but it limits the access of the attacker to the time period of the forced password change. If the attacker changes it, he is found out immediately, because the bank employee loses access. When the password expires the bank employee generates a new random password and the attacker loses access. Of course, using OTP features or a security token is better and narrows the attack window even more.

            • @l_b_iOP
              link
              fedilink
              English
              06 months ago

              I don’t think you’re following.
              First, you are an account holder in my answer not an employee.
              Second, the reason its an issue has nothing to do with the actual password or password security. Frequent changes lead to simpler passwords. Someone is likely just to increment a number, so a new password is barley a hindrance if the previous one is compromised. Frequent changes are going to lead to more password resets, service personnel who have to deal with people forgetting passwords due to frequent resets/ changes are more likely to be complacent allowing an attacker to gain access through a reset. For company based passwords, frequent changes and high complexity requirements are more likely to lead to someone writing a password down near where that password is used.

              • @[email protected]
                link
                fedilink
                English
                06 months ago

                No, you’re not following. (I assumed I was an account holder in that example, but it’s not important.)

                Someone is likely just to increment a number, so a new password is barley a hindrance if the previous one is compromised.

                Not if they use a password manager and click a button to completely randomize a new password. They do not have to worry they forget it, because they only have to memorize their master password.

                KeePass Password Generation Options

                Why would someone who was told to hit that button by IT increment a number instead?

        • @l_b_iOP
          link
          fedilink
          English
          76 months ago

          I think your missing the point. It doesn’t matter how good an individuals security practices are if the system itself has bad security architecture.

          • @[email protected]
            link
            fedilink
            English
            16 months ago

            So in your post you refer to, for example, an admin at microsoft headquarters having to change his password, not the user of one of microsofts services being forced to change their password?

            • @l_b_iOP
              link
              fedilink
              English
              16 months ago

              I am generally more annoyed at the second bit, the user having to change their password. Both are problems, but internal policies for changes are usually documented and communicated.

              • @[email protected]
                link
                fedilink
                English
                16 months ago

                Having to change the services password is just a few buttons in the password manager, but it helps mitigating brute force attacks and limits the attackers access to the validity period of the password. So that’s very beneficial.

                • @l_b_iOP
                  link
                  fedilink
                  English
                  16 months ago

                  It doesn’t matter how good an individuals security is, its the system that’s a problem. Passwords are not often compromised through brute force. Password resets are a much more efficient entry method.

                  https://pages.nist.gov/800-63-FAQ/#q-b05

                  Q-B05: Is password expiration no longer recommended? A-B05:

                  SP 800-63B Section 5.1.1.2 paragraph 9 states:

                  “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

                  Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.

                  Q-B06: Are password composition rules no longer recommended? A-B06:

                  SP 800-63B Section 5.1.1.2 paragraph 9 recommends against the use of composition rules (e.g., requiring lower-case, upper-case, digits, and/or special characters) for memorized secrets. These rules provide less benefit than might be expected because users tend to use predictable methods for satisfying these requirements when imposed (e.g., appending a ! to a memorized secret when required to use a special character). The frustration they often face may also cause them to focus on minimally satisfying the requirements rather than devising a memorable but complex secret. Instead, a blacklist of common passwords prevents subscribers from choosing very common values that would be particularly vulnerable, especially to an online attack.

                  Composition rules also inadvertently encourage people to use the same password across multiple systems since they often result in passwords that are difficult for people to memorize.

    • @[email protected]
      link
      fedilink
      English
      56 months ago

      I use a password manager, but I can’t realistically use one on my work computer, because the computer is locked. You want me to open my password manager on my phone and try and type it in?

      Yeah, I’m gonna continue to use the bare minimum password that meets the requirements knowing full well it can be brute forced in under 5 minutes.

    • bluGill
      link
      fedilink
      26 months ago

      You still need a password on your password manager, and that needs to be protected.

      • @[email protected]
        link
        fedilink
        English
        36 months ago

        Sure, but one strong complex password is much easier to maintain and remember than checks vault 71 individual logins each with unique complex passwords.

        My password vault is also only accessible from my local network or from a device that’s been within that network and logged in to my vault while it was there. (I’m not using public servers to sync between devices)