I'm surprised that this article didn't mention the most important point about password rules:
They force you to come up with a new password that you probably haven't used before and so you will probably forget it.
There are websites that I don't use often where I literally have to reset the password (and go through all the i-forgot-my-password steps) every time I want to log in because they forced me to come up with an overly creative password.
I think most people have two or three passwords for all their apps/services; one very secure one, one medium security one and one low security one (where you literally don't care if you get hacked). It's not the company's business to tell you which of those classes of passwords it deserves for its website.
You really shouldn't be re-using passwords across sites anyway, since all your accounts are compromised if any of them are compromised. Since re-using passwords is a problem solved by using a password manager, I'm assuming you're not using one, in which case you likely won't even remember the list of sites where you have accounts that have a shared password if you need to change it when any of the other sites are compromised.
Best to just use a password manager and keep unique per-site passwords.
I'm quite hesitant towards using a password manager. All secrets are protected by only one single password, and to make the tool useful, it should be accessible from anywhere and I would use it quite often too, increasing the limit of my master PW being stolen (whatever way, keyloggers, shoulder surfers, cameras...). Thus, I rather memorize a handful of unique high-security passwords for important services and one or two low-security ones for all the rest I don't care about.
Of course, it's a different situation when e.g. managing many sensitive servers which you only access from work or so.
All secrets are protected by only one single password, and to make the tool useful, it should be accessible from anywhere and I would use it quite often too, increasing the limit of my master PW being stolen (whatever way, keyloggers, shoulder surfers, cameras...)
True, though your handful of passwords can be stolen in the same way.
With a password manager, you:
- ensure your master password is not transmitted over a network
- ensure you never reuse passwords
- ensure you have long, strong passwords everywhere
- never forget login details and never worry about remembering yet another password
On the other hand,
- you _need_ access your password manager in order to login
- you now have a single point of failure
- cloud-based password managers are very attractive targets for hackers
I don't like these aspects of it.
Still, a password manger is incredibly convenient and I do feel a greater sense of security/confidence when I copy a big old 64 character password to log in. As it is, I use so many different services (gmail, github, slack, aws, steam, dropbox, reddit, etc, etc) and that number is only going to increase. I think a password manager is a practical, scalable solution to both remembering login information and improving my security.
The security process that has really worked for me is using the "forget password" as means to get a "login token" into my mail, which is protected with 2-factor auth.
I don't have to deal with password managers, maintaining their files. Or deal with multiple passwords.
Most of my accounts use my low-security password, I don't care much if they all get compromised. I only use my high-security password on 1 site.
Password managers are horrible - Whenever I change machines, I could never remember all my passwords and I certainly don't want to store my passwords in the cloud.
I wonder why people still think that their passwords are stored on the external site. It's explained on the "how this works" or whatever for most services like LastPass.
> Password managers are horrible - Whenever I change machines, I could never remember all my passwords and I certainly don't want to store my passwords in the cloud.
"There are websites that I don't use often where I literally have to reset the password (and go through all the i-forgot-my-password steps) every time I want to log in because they forced me to come up with an overly creative password."
Indeed and then one's email potentially becomes the weakest link in one's password security.
If a site offers email resets at all, how often you (legitimately) use them generally doesn't play into the security analysis. If it's easier to get access to your e-mail than to get the password to the account that can be reset by proving access to the e-mail, then your e-mail is the weakest link.
>"if it's easier to get access to your e-mail than to get the password to the account that can be reset by proving access to the e-mail, then your e-mail is the weakest link."
For me it's gotten to where I just assume next time I need to log into the website, 6 months from now - car insurance for example - I simply expect to recover the password. No password really matters besides my email.
My current pet peeve with password resets goes like this:
1) Forgot the password, start the recovery process.
2) Get to the "create a new password" phase, look at the rules.
3) Rules require special characters, caps, etc. So I make one.
4) I get the "This password has been used before" error.
5) Now I have to think up a new random one.
If that password 'that was used before' was the current one, why can't I just continue to use it??? Now I remember the password (usually because of the silly special character requirements), so we're good, right? Wrong.
Related, some of these sites you forget what you used and have to create a new password - and some of them do this horrible "You cannot re-use your four last passwords" thing which leaves you in this sort of permanent "I'm never going to remember and always have to come up with something new" loop (for sites you go to only periodically, e.g. an HR portal, let's say). But hey, nothing important lives in an HR portal, right? :P
Employee of a university here. Not only are the password requirements annoying, unless you close the browser you aren't logged out. Clicking "logout" makes it look logged out, but the next person to use email/payroll enters their credentials and gets the prior users account. Hilarity ensues with people applying for each other's leave, emailing responses to messages that weren't for them etc. The interim response is for people to set a theme in their email to make it more dictinctly different. I kid you not.
Shibboleth user? I can't even imagine how difficult that kind of problem is when you're working with other people's software.
* Go to some service A.
* Get redirected to SSO and authenticate.
* SSO confirms your identity and A issues you a session token.
* You log out using your SSO.
* Go back to A where you're still logged in with your session token.
At a certain point I would not be willing to commit to maintaining lots of patches to every product we host and just tell our users to close their browser.
OMG very true. Often, it seems that all these password systems are designed for celebrities; maybe if there were teams of people working 24/7 to hack my account, then it would make sense.
This is why my new server system sends you a password for every login you want to do to your email. Of course you do stay logged on, so it is not needed very often.
They force you to come up with a new password that you probably haven't used before and so you will probably forget it.
There are websites that I don't use often where I literally have to reset the password (and go through all the i-forgot-my-password steps) every time I want to log in because they forced me to come up with an overly creative password.
I think most people have two or three passwords for all their apps/services; one very secure one, one medium security one and one low security one (where you literally don't care if you get hacked). It's not the company's business to tell you which of those classes of passwords it deserves for its website.