Follow

"We need you to set up a secure password. 10 maximum characters."

jfhc do these companies know what secure passwords or password managers are

@cwebber I'm wondering why more companies aren't using tokens? I know in govt there are some pretty weird requirements for things, but there are even free software/free hardware FIDO2 tokens now, as well as PGP keys that can be used for SSH sessions.

Not perfect, but a big step forward.

@cwebber big upgrade from the common "8 characters max"

@cwebber
"They can have one main password that they add a few letters to for each app"🤦‍♂️
Google's advice for teaching kids safe password practices: safety.google/families/familie

@cwebber No kidding, and furthermore they often have hidden restrictions precluding all but a specific set of characters. Combine it all with the minimum length and complexity restrictions, and you end up with a very narrow range of possible passwords, and an even narrower range of ones likely to be used.

@keithzg @cwebber my favorite one of these i have encountered lately was even more obviously than usual built out of the constraints of the developers' limited grasp of regular expressions, and prohibited (among other things) non-contiguous characters in the range [0-9].

the worst offenders are almost invariably in the realm of banking/finance/credit, medical service providers, payroll/benefits, etc. which is to say: places some security would be kind of nice, really...

@keithzg @cwebber but it's cool because my bank shows me a picture of a kitten when i provider my user name. two factor auth, donchaknow.

@brennen @cwebber
Yeah it's hilarious but unsettling that my passphrase for my bank account is literally the least secure password for any account I have . . .

@cwebber Which is it? A secure password or a 10 char limit?

This is why I use random strings for my usernames. Weird that sites requiring short passwords allow long usernames.

I also use subaddressing for unique email addresses.

That site won't be any more secure, but the likely to be stolen credentials can't be used to break in anywhere else ...

Sign in to participate in the conversation
Octodon

Octodon is a nice general purpose instance. more