If websites could just remind me on the login in screen what their password requirements are that would help me a LOT.
So many times I start going through the “forgot my password” steps and then when I see the password requirements are “at least 10 characters long with 2 unique symbols” I remember what it was and can go back and log in.
But don’t use lastpass, they are the most popular, and with the largest breach history. In fact, if you are capable of the admittedly high bar of self hosting, use bit warden instead.
I would rather recommend using KeepassXC, and storing and syncing the database with your other devices using Syncthing. Supereasy to set up, and works flawlessly with my pc and my phone.
KeepassXC has nice features like global autotype btw, so for webpages i can insert my payment information with one hotkey. no need to save your CC in your browser.
I use a pattern relative to the site name, with a different email address for every site also relative to the site name. The pattern means the password is always different but I always know that it is.
1Password is an option. It’s all stored in one place, sure. But you need the encryption key and password to access it. No one but you has that key, and if you lose/forget it you lose your passwords forever. Not even the company can recover your passwords from that.
For 99% of people an online password manager like Bitwarden or LastPass is going to significantly help them manage passwords securely despite the risks associated with cloud services. Most people can’t handle self hosting Bitwarden or syncing a Keepass database by themselves. Without an easy to access and easy to use online option people will revert to significantly riskier methods like password reuse or using some sort of repeatable/guessable pattern.
For the 1% of people who want more security there are options like Vaultwarden or Keepass. Even then it’s not uncommon to make mistakes and lose data/access or leave some sort of vulnerability exposed. The attack surface is a lot smaller than a public service though which is beneficial.
Fun fact: it would take about 37 billion years on average (at current (known) tech) to brute force a 16 character alphanumeric password which uses uppercase ie. using at least one of each of a-z,A-Z,0-9
Adding special characters would not make it easier.
A trillion years seems like a long time.
(Unless your password is ThisIs4Password!)
If you brute force using single iterations of all possible combinations sure. But people don’t do that. They use fully readable passwords and letter substitutions. This makes dictionary attacks viable. There are a known number of readable words and phonetic combinations that are significantly easier to brute force. And also the vast majority of numbers are also guessable because most numbers are dates. Series of 2 or 4 or 8 numbers to form important dates means there are lots of numbers between 1940-2024. People don’t usually unconditionally random alphanumeric passwords. Therefore peoples passwords will never be fully secure against sufficiently advanced brute force methods.
I originally included the words “assuming random” to the post. Why I removed it? I guess for dramatic effect.
You are correct.
Permutations of dictionary words are relatively trivial for a decent program.
But, increasing the length and the addition of special characters adds a nontrivial exponential increase in time, wouldn’t it?
Brute Force attacks haven’t been effective for decades. Not since they implemented delays between attempts and times outs/lock outs for too many failed attempts.
If websites could just remind me on the login in screen what their password requirements are that would help me a LOT.
So many times I start going through the “forgot my password” steps and then when I see the password requirements are “at least 10 characters long with 2 unique symbols” I remember what it was and can go back and log in.
Or just use a password manager and solve that problem yourself right now forever.
But don’t use lastpass, they are the most popular, and with the largest breach history. In fact, if you are capable of the admittedly high bar of self hosting, use bit warden instead.
Why? Bitwarden has a free tier you don’t have to self host
This is exactly why I don’t want to use a password manager. Storing all my passwords in one place online doesn’t exactly sound secure.
I would rather recommend using KeepassXC, and storing and syncing the database with your other devices using Syncthing. Supereasy to set up, and works flawlessly with my pc and my phone.
KeepassXC has nice features like global autotype btw, so for webpages i can insert my payment information with one hotkey. no need to save your CC in your browser.
Right? I’m right with you. I keep a password book I can lock up in the safe. No online hacker can get to that.
I use a pattern relative to the site name, with a different email address for every site also relative to the site name. The pattern means the password is always different but I always know that it is.
1Password is an option. It’s all stored in one place, sure. But you need the encryption key and password to access it. No one but you has that key, and if you lose/forget it you lose your passwords forever. Not even the company can recover your passwords from that.
For 99% of people an online password manager like Bitwarden or LastPass is going to significantly help them manage passwords securely despite the risks associated with cloud services. Most people can’t handle self hosting Bitwarden or syncing a Keepass database by themselves. Without an easy to access and easy to use online option people will revert to significantly riskier methods like password reuse or using some sort of repeatable/guessable pattern.
For the 1% of people who want more security there are options like Vaultwarden or Keepass. Even then it’s not uncommon to make mistakes and lose data/access or leave some sort of vulnerability exposed. The attack surface is a lot smaller than a public service though which is beneficial.
Vaultwarden, typically, because it’s fully free and more resource efficient. But bitwarden as the client of course.
Listing those requirements up front would make things way easier for brute force attackers
They list all those requirements when you try to create an account. If anyone wants to try to brute force they already have that info.
Fun fact: it would take about 37 billion years on average (at current (known) tech) to brute force a 16 character alphanumeric password which uses uppercase ie. using at least one of each of a-z,A-Z,0-9
Adding special characters would not make it easier. A trillion years seems like a long time. (Unless your password is ThisIs4Password!)
https://www.komando.com/wp-content/uploads/2021/03/Passwords-chart-970x510.jpg
Also, online logins should lock you out temporarily after a few failed attempts anyway, making brute force a complete non issue.
Also also, if you’re going to try to brute force someones pw, you would just look up the requirements beforehand anyway.
If you brute force using single iterations of all possible combinations sure. But people don’t do that. They use fully readable passwords and letter substitutions. This makes dictionary attacks viable. There are a known number of readable words and phonetic combinations that are significantly easier to brute force. And also the vast majority of numbers are also guessable because most numbers are dates. Series of 2 or 4 or 8 numbers to form important dates means there are lots of numbers between 1940-2024. People don’t usually unconditionally random alphanumeric passwords. Therefore peoples passwords will never be fully secure against sufficiently advanced brute force methods.
I originally included the words “assuming random” to the post. Why I removed it? I guess for dramatic effect. You are correct. Permutations of dictionary words are relatively trivial for a decent program. But, increasing the length and the addition of special characters adds a nontrivial exponential increase in time, wouldn’t it?
Brute Force attacks haven’t been effective for decades. Not since they implemented delays between attempts and times outs/lock outs for too many failed attempts.