Our great sponsors
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
bitwarden
Discontinued Bitwarden client applications (web, browser extension, desktop, and cli) [Moved to: https://github.com/bitwarden/clients]
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Safari did something in that regard in 2018 and proposed a passwordrules attribute with a mini description language:
• https://github.com/whatwg/html/issues/3518
• https://developer.apple.com/documentation/security/password_...
Bitwarden is on the way to support it.
Discloser: I am the co-founder (https://notesnook.com)
We used to ask our users 90% of the standard password requirements (min length 8, 1 special character, 1 digit, 1 capital etc). The result was a lot of people forgetting their password and having a really bad first impression. We were following "best practices" but the user didn't care.
In the end, we took out all the requirements except one: password must be 8 characters long. While we knew this wasn't recommended, especially for a private note taking app, it was a necessary choice because a lot of people either just modified their old passwords or used new ones which they forgot and got locked out. Good security but...if you also get locked out, what's the point? As for people who used password managers, it doesn't matter either way.
A lot of people sign up just to try out the app. Nothing serious. Nothing too critical. If they get locked out after their first usage, it's goodbye from them. I think there are a few things apps can do to improve security without annoying the user too much:
1. Show user a notice inside the app if the password is below a certain strength threshold, recommending them to change it.
What cannot be ignored is the fact that many people will attempt to use the same password for multiple sites if given the chance.
Furthermore, some of those shops may contain identifiable information which could be problematic.
Personally, i take a slightly different approach: i don't care about almost any of my passwords... because they're randomly generated!
KeePass gives you very nice choices in regards to this, when i write down a new account into the password protected DB for a site that I'm about to use, it allows me to both generate a random password for it, as well as specify additional generation rules if needed (e.g. longer or shorter).
That way every password is unique and reasonably secure. In combination with Nextcloud and regular backups to another HDD (and manual ones to SD cards) the password safe is also persisted across my own devices and other mediums, whilst having an even longer password of its own, the only one that i need to memorize (and write down on a piece of paper that i could optionally give to someone I trust, since i once forgot my phone's lock screen pattern years ago).
Here's more info about KeePass: https://keepass.info/
This, when coupled with separate e-mail accounts (e.g. one for professional matters, a few for increasingly more spammy or throwaway purposes) and something like uBlock Origin and a VPN does make my online browsing experience a bit more tolerable and secure.
My word list contains 7227 words apparently, so 12.82 bits per word
https://github.com/redacted/XKCD-password-generator
Not sure how many bits a "good" password should be nowadays.
Well, I will try. First, I was commenting on my interpretation of the parent comment. Identify theft, and protecting savings and retirement accounts.
Be inquisitive and aware. I think you have this covered by reading hacker news and having an interest in the subject. I've enjoyed reading Slashdot (while it was good) before switching to hacker news, but it's also been a vital ongoing education for me. Comments often having more value than the original article. Being knowledgeable of security risks and common exploits helps prevent falling victim to them.
https://hn.algolia.com/?q=identity+theft
https://www.newyorksecuritieslawyersblog.com/my-money-was-st...