Okay, mastodon’s chock full of infosec people: can anyone tell me why so password creation interfaces don’t include the site-specific requirements for password creation?
(e.g. password must be 8 to 11 characters, must include/exclude capital letters, numerals, & special characters; but may not include certain special characters, etc)
Just thinking about how many of my passwords are variations of “GoF*ckYourself1!”
I tried out #keepassxc today. It's in the debian repositories so fast installation and easy to use, guided setup process.
Should have tried it years ago.
A side benefit is being able to record all my logins and important information in one file (the keepassxc database file), back it up, and then share it with my loved ones with the unlock password given to them stored in a safe place.
If something happens to me, they'll be able to access my accounts.
Es ist wieder soweit und wie jedes Jahr am 1. Februar wird von vielen Seiten dazu aufgerufen, die Passwörter zu ändern. Ich sage: Lasst es. Dieses ständige Passwortändern bringt keinen messbaren Sicherheitsgewinn. Das Problem liegt ganz woanders. 👇
So the reason I am moving away from my beloved #Bitwarden password manager is because of Proton Pass. Which happens to work well with Proton Mail, Proton Calendar and Proton Drive. You see, it's a suite of non-Google apps that is focused on privacy and encryption (you can use Proton Pass separately and for FREE)
And yes, it's a tedious process of moving to a better product. One that is focused on protecting vs. exploiting. I'm being patient and moving forward. #passwordmanager#password#Encryption#proton#ProtonPass
I've heard #cybersecurity experts often say that passwords are more secure than #biometrics, one of the reasons being that you can change your #passwords if it ever gets leaked but you can't change your biometrics. However one of the major downsides of using a password/pin for your lockscreen is that someone could simply look over your sholder to figure out your #password. These so called over-the-shoulder attacks are more common than you may think and the presence of #surveillance cameras everywhere makes the situation worse because now you could be recorded typing in your password!
So because of all these reasons I had mixed feelings about using a password/pin and tent to use biometrics whenever possible. But my opinion about passwords changed entirely after watching this 9 year old video on YouTube showing how to use the "picture password" feature on a #BlackBerry device - https://www.youtube.com/watch?v=Gef7kehpedA
The ingenuity of this system not only prevents over-the-shoulder attacks but is also fast & easy to use! I'm actually quite surprised that this never caught on to other devices because it really seems like a smart and easy solution to a common problem. Thanks to @sr for mentioning this on your #podcast or else I would've never known about this technique.
Come già annunciato da diversi mesi i servizi #bitwarden per la gestione delle password ed #etherpad per la #scritturacollaborativa sono migrati alle 24 del 24/1/24 e sono ora disponibili qua:
:bitwarden: https://vaultwarden.devol.it
è sostanzialmente lo stesso software open source compatibile al 100% con bitwarden, il progetto è stato rinominato dallo sviluppatore.
Nearly 71 million unique credentials stolen for logging into websites such as Facebook, Roblox, eBay, and Yahoo have been circulating on the Internet for at least four months
@meisterluk As so often in this world, the general public is facing issues because some people are not clever enough to do things right.
This time: because of not educated people generating insecure passwords, technical restrictions to mitigate at least to some extent is applied to everybody even though people like us are able to come up with secure passwords that somehow violate those stupid #password rules. 😔
The so-called xkcd method, my favorite method, fails here as well 😭
I'm not sure if I get something wrong, but I think #Microsoft#Entra ID #Password Protection is complete rubbish. E.g. when ban weak passwords with the ominous 5 points rule the results seem to be completely arbitrary.
Microsoft speaks of including commonly used weak or compromised passwords in their Global banned password list. But the list isn't based on any external data source, so leaked passwords not leaked by Microsoft are not included 🤡.
This leads to:
Known leaked passwords are accepted. Location name plus year is accepted. Dictionary word plus year is accepted!!!
Not sure if this applies only to German dictionary words.
It gets even worse. Reading the documentation, I found "Characters not allowed: Unicode characters" WTF
Coming back to the weird point system. A banned password is not really banned, it gives you "only" 1 point (and you need five).
This leads to the question how many points do none-banned words give?
If you think it can't get worse, you're wrong! It looks like each character of a none-banned word gives one point. Meaning "password1234" is an accepted password. (1 point for password and 4 for each digit)
Or a real life example: The #SolarWInds#SupplyChain attach which affected Microsoft, US government agency and countless other organizations world wide, was cause by a weak FTP server password.
Namely "solarwinds123", which would be accepted by #Entra ID #Password Protection (1 point each for "solar" and "wind", 3 points for the numbers. If "solarwinds" would be on the custom banned list, "solarwind1234" would have been enough.
And you can't do anything against it.
I actually hope that the documentation is somewhat wrong and that "123" is not 3 points but 1 as it are consecutive numbers. But this would make it only marginal better (2023
And the Custom banned password list of #Microsoft#Entra ID #Password Protection just continues the joke.
First, it can only contain 1000 entries. And yes, I really don't want to manage a big custom list.
And it gets even worse. The list is intended to contain company specific banned words like brand or product names, company-specific internal terms as well as abbreviations. Entries must be at least 4 characters.
WTF, half the companies I worked for had 3 letter names. And there are many other BWM, KIA, SAP, IBM, GM, BBC, NBA, NFL, UPS, DHL, ...
And don't get me started on acronyms. #TLA (Three-Letter-Acronym) is a term for a reason.
This means, taking my current company as an example, that SMA12 would be an accepted password (if it would be for the length) because 'SMA' 3 points + '12' 2 points is 5 points).
To reach the necessary length you could simply combine it. E.g. 'SMASolar1' would be an accepted password even if 'Solar' was a banned word.
And I CAN'T do ANYTHING!!!
Or at least not anything sensible. If I start to put combinations of 'SMA*' in the custom banned pw list, I'm back at an inadequate big list I have to manage myself 🤮.
Call for #Help: I would be very happy if someone can show me that I'm wrong. The state of Microsoft Entra ID Password Protection is a MUCH bigger pain than that I would have been wrong 😜.
WHY are passwords part of the security telemetry data?
The only case where I see this as ok, would be in a honeypot.
And what kind of data would be in the security telemetry data? Usually it's failed attempts, so you risk overestimating passwords attacks which fail (anyway). Again, this would only be OK with honeypots.
But if you are getting your data solely from honeypots, I fear you're getting a pre-selected type of data. Namely opportunistic, random attacks not targeted attacks.
While I think it's valuable to protect against these kind ob attacks, I really would like passwords to withstand even targeted attacks, even from the inside.
E.g when the attackers are in the Lateral Movement or Privilege Escalation. Especially if the attackers can start to crack hashes.
For this Microsoft Entra ID Password Protection seems completely useless there.
To check if a password was part of a breach https://haveibeenpwned.com/Passwords
(I hesitate to enter real current passwords there but there is also an API which ensures the secrecy of the password)
They recommend to not mandate regular password changes (good) BUT they check the password against known bad passwords ONLY when changing it!
So to detect weak passwords I have to enforce a password change which is (rightfully) not recommended 🤡
You could simply do this on entry. Every time (or once a day) the user enters the password it is checked if it isn't well known and complies to the current rules.
Side note, the PDF contains no (visible) version information or date :-(
Please, if you publish guidance, especially if you are an influential company, include a date in your documents. I treat a guidance form 2016 differently than a guidance from 2023
Back to the recommendations. Most of the are solid but some stick out
Maintain an 8-character minimum
That seem awfully short. #NIST states "Longer is better", the #HPI recomend 15+ characters and, wait for it Microsoft themself recommends 12 or better 14+ characters.
Ban common passwords, to keep the most vulnerable passwords out of your system.
The NIST recommendation check against "commonly used and compromised passwords" considerably extends this!
Microsoft at other places recommends "Not a word that can be found in a dictionary or the name of a person, character, product, or organization."
Educate your users not to re-use their password for non-work-related purposes.
Work related reuse is OK????
I would love to know if #Microsoft internally really follows these password rule. Or if they enforce a more strict set. If anyone knows about this, please let me know (but don't if this would gt you fired)