Just got done investigating a spambot we had earlier, and it looks like they used a lot of compromised accounts on other instances to give their post an initial upvote boost. If you don’t already, please remember to use a good strong password. Keeping your account secure helps reduce spam across the whole of lemmy, and keeps your account from getting banned for things you didn’t actually do.
I recommend Diceware! I use it in my professional capacity as an IT/Security person, and also you get to use your mathrocks!
EDIT: Oh, also, all that numbers and symbols shit is no longer considered good practice. Just make it a really long collection of random words, at least 12, ideally 16+ characters. And make sure the words are actually random; your 3 favorite sports teams isn’t good enough, which is why I recommend diceware.
Over the years, nobody has ever guessed my passwords, but four sites I was subscribed to were compromised and my email+password got leaked anyway.
The strongest chain and the weakest link…
Random passwords are good practice, what isn’t good practice is following specific password requirements like 10 characters 1 uppercase, 1 symbol because that reduces your search space. A 30 or 50 character password generated by your password manager is always the most secure option, the longer the better. I generate passwords that go to the maximum the service allows.
“Password must be between 8 and 12 characters” 🤦🏻♂️
'Pass word1!
Oh, ’ and spaces aren’t allowed?
Horse: “That’s a battery staple.”
Man: “Correct!”
these are called pass phrases and yes, they tend to be way more secure at least until quantum computers render all traditional cryptography meaningless.
Basically what diceware does. It’s just that humans are really bad at picking random words (“banana” is over represented, for instance) that’s what diceware helps with.
I used to use words from different vernaculars or languages. Sometimes i double check they are too abstract and weird to correct horse battery staple easily just because I’m a contrarian asshole snd thst helps me remember. exquisitevibrattoacquittalbevelschaudenfreude
My password is ‘friend’, should I change it? I feel like it keeps all the nasty visitors out while letting the good folk inside.
A much more secure password is “Mellon”. I’ve used it as a door code for ages, and nobody can guess it.
Some great mind took hours to break this password. Hours!
Spoiler: the pony survived!
This is what you get for making me admin, I’ve gone mad with power, muhahahahaha!
crimes o-o
Just make one super strong password, use that to unlock you password manager and have it generate 30 character passwords for everything.
Ideally all lowercase letters to make them easy to type when you need to use them in another device. Unfortunately, a lot of places don’t allow that, preferring less secure and more inconvenient passwords.
Password managers are OK but I have hesitations on them personally. I’m leery of putting all my most high-value stuff in one place behind one password. What I do instead is memorize a truly unreasonable amount of passwords, though, which I recognize is not a reasonable expectation for others. For threat models in which you’re not worried about in-person attacks, it may actually be a good idea to just write your passwords down, maybe keep your password book in something with a lock on it. I’m not advocating for any particular method, just putting it out there so people can make an informed decision.
I’m leery of putting all my most high-value stuff in one place behind one password.
Password managers (at least the non-browser based ones) use methods provided by the OS to protect themselves from screen recording, direct memory reading and keyboard-sniffing. Most password managers can also be set up to require a keyfile and/or physical passkey to unlock their databases.
A keyfile stores data necessary for decryption separate from the password database and means someone couldn’t get into your passwords even if your database was stolen and they knew the master password (assuming you stored your keyfile separate from the database - the file and its location should be treated like a password itself). A keyfile also lets you keep your database on cloud storage while manually transferring the key to trusted devices, allowing cloud syncing of your passwords without fear of leaks - without the keyfile it’s all just random data.
A physical passkey makes it virtually impossible to breach the database unless someone steals the USB device, since it uses a challenge-response model and the data needed to spoof it should never leave the device.
To be fair, a ‘strong’ password isn’t likely to help all that much.
Those compromised account lists are almost exclusively from websites that were hacked to harvest passwords, or didn’t hash their passwords sufficiently in the first place.
Making a strong password is obviously ideal. But people are generally better off with some basic in-browser password management - avoid password reuse is the real big deal. Maybe diceware is the thing to use if there’s a specific password you need to actually remember and re-type across devices
Also: Reminder to enable 2 factor authentication, of you haven’t.
Diceware is a password locker?
Diceware is a method of generating random memorable passwords.
I would suggest a password locker rather than just a generated passphrase.
