You can also tell if a site does this when they have seemingly arbitrary restrictions on passwords that are actually database text field restrictions.
Especially if they have a maximum password length. The maximum password length should be just the maximum length the server will accept, because it should be hashed to a constant length before going into the database.
I recently created an Activision account during a free weekend event and discovered their password system is completely broken. 30 character limit but refused to accept any more than 12 characters. Kept erroring out with must be less than 30. Once I got it down to 12 it accepted that, but then it complained about certain special characters. Definitely not giving them financial information.
My bank has a character limit, but they don’t tell you about it; they just trim the password you’ve set before hashing + saving it, then when you go to login if you don’t trim your password the same way they did, login fails.
I only know this because the mobile app will actually grey out the login button as soon as you enter more than the character limit. The web app just leaves you to be confused.
I had a similar situation with my health insurance company, except I think they added the character limit a while after I had set my password T_T. So, it worked for months, then they changed the mobile app so I couldn’t enter a long password… And then eventually they changed the website too and then I couldn’t log in at all. Thaaaaanks.
Doesnt lemmy also do it? I think I ve heard from Ruben at Boostforlemmy that lemmy only treats first 60 characters of your password as a password and the rest gets discarded. [citation needed]
Can’t say I’ve ever tried to use a password quite that long, so I’m not sure.
Not ideal, but trimming it (especially when you’re keeping 60 chars) isn’t the end of the world. It was just super confusing that the web app doesn’t trim it during login as well. There’s no indication that your password was modified or what you’ve entered to login is too long. Just ‘incorrect user/pass’ despite entering what you’ve just set. That char limit for my bank is only 16 chars, so it’s easy to hit.
It’s a big deal IMO, particularly because at login it doesn’t do the same. From the user perspective, your password has effectively been modified without your knowledge and no reasonable way of finding out. Good luck getting access to your account.
When a bank does this it should be considered gross negligence.
The official web UI doesn’t let you enter more than 60 characters, but doesn’t indicate that at all. So you can keep typing past 60 characters but it won’t get added to the input field and you can’t really see that. If you paste a password into the field, it gets trimmed to 60 characters.
When creating a password, the server checks that it isn’t longer than 60 characters and returns an error if so. On login, however, it silently trims the password to 72 bytes, because that’s what the hashing algorithm they use supports.
My bank if you get your card number through the app has a dynamic ccv that changes every day so while not perfect is what I use whenever purchasing online
Especially if they have a maximum password length.
Not really, there are good reasons to limit password length. Like not wanting to waste compute time hashing huge passwords sent by a malicious actor. Or using bcrypt for your hashes, which has a 72 byte input limit and was considered the best option not that long ago. The limit just has to be reasonable; 72 lowercase letters is more entropy then the bcrypt hash you get out of it, for example.
Yes, reasonable limits are fine, I was talking more like 12 or 13 characters max. That’s probably indicative of a database field limit, and I’ve seen that a fair amount because my password manager defaults to 14 characters.
no, they probably dont.
they just send it to your email upon registration, which is kinda a bad idea, but they are probably storing passwords hashed afterwards.
I’ve never even heard of the game studio I’m not defending them, I was replying to the person who said the company should never have your unhashed password, and explaining that they have to at some point in the process
I wonder how much this varies depending on the amount of data it would require to store the emails of a company. I know nothing about this subject, but does it occur where companies with very large email lists would forgo storing those types of emails to save data costs?
In my experience it varies a lot. Even in our own system certain emails are stored differently. There are a few “we legally have to deliver this email and might need to prove it later” notifications. We store a PDF of those in s3. For others we might just save the data, a sent timestamp, and a key for which email visual template was used.
I also thought of a counter argument to my point overnight. We don’t store one super duper high volume email which is the email that only has an MFA code. We would also absolutely never ever dream about allowing a plaintext password in an email, so we’re probably following different patterns in the first place.
I find that very hard to believe. While it is less common nowadays, many, if not most, mailing list and forum software sent passwords in plaintext in emails.
A lot of cottage industry web apps also did the same.
passwords are usually hashed server-side tho and that’s done for a reason.
if handling passwords correctly, server side hashing is way more secure then client-side. (with client side hashing, hash becomes the password…)
Is it though? While it certainly isn’t something I’d recommend, and I’ve encountered it before, if E2E encryption exists we cannot assume a data exposure had occurred.
What they do on the backend has nothing to do with this notification system. Think of it as one of these credentialess authentication systems that send a ‘magic link’ to your inbox.
I’m playing Valkyria Chronicles. I think I’m about to finish the main story, though I have to tackle most of the extra content still (skirmishes and DLC maps).
It’s a bit strange, but once you stop looking at it as a strategy game, it becomes apparent that it’s actually a puzzle game in disguise, asking you to clear all scenarios in the most time efficient way, which usually translates to very precise troop placement and attacking enemies in a specific order.
I already played VC4 last year and it was a blast. VC1 has a bit less content and the QoL features from the sequel are sorely missing, but it’s still a lot of fun.
Nice. Personally only played VC1 and currently on VC2 (on a break though). All I can say so far is that the game series is a rough gem, fun but a bit unbalanced. VC2 is better in that aspect though, and I would assume the later games are as well.
I can’t speak about VC2 and 3, but 4 is pretty much the same as 1. The unbalanced nature of the game is part of the fun, for me. And if you’re willing to play the missions “as intended” instead of cheesing them with the attack-boosting orders, imo they provide quite the challenge (especially late-game VC4).
If I ever revisit 1, I’ll definitely play it with a rebalance mod, not sure on which since there’s like 3 of them.
While killing a tank with a scout is funny, it cheapens the gameplay. Personally I’m the kind that gravitates to metas, not to the point of obsessive min max, but it’s enough to sour the experience if it’s particularly busted like in the first game. Doesn’t help that the ranking system only cares about speed making it sort of necessary to exploit if you want a good result :/
Recently played Titanfall 2 and bought the Muse Dash DLC, and man this has been the most fun ride I’ve been in a while.
First off, Muse Dash. I’ve bought the base game a long while ago and pretty much cleared all of the hard content it had to offer. Due to the recent controversy, I jumped the gun and bought the DLC earlier than I would have liked, but I did plan on getting it at some point so its not a complete bummer. The main draw of the DLC for me was mainly more content since base game is reeeally small - specially if you are experienced at the game or genre as a whole, and the mods. The mods along with custom charts made the game way more compelling than before. Bless the good people who do game mods, they are actual gods.
Then we arrive at Titanfall 2. To be honest, I did not expect it to run on my i3 potato laptop, but it did… and I got addicted, clocking in 30 hours in like a week and a bit. The campaign is good, the multiplayer is amazing once it clicks, and now I’m replaying the campaign again for the collectibles. It is a genuine breath of fresh air as the majority of multiplayer/online games that I play involve live service stuff, gacha and tedious grind, and I’m not interested in mainstream competitive stuff either with ELO ranking and keeping up with metas. Here I can enjoy fragging to my heart’s content and casual competition without the baggage modern gaming entails (battlepass progression, ranked, FOMO, etc.). And even if I get beat by someone better, I view it as a challenge and not pure BS (I’m looking at you War Thunder).
I beat Kingdom Hearts 2 last week, so I’m just starting Kingdom Hearts: 358/2 Days. Taking a bit of a break though, so might not end up getting to it until next week.
I can’t speak for everyone, but the transition from one version to another loses almost as many features as it gains. It is especially crappy about its provided sprites, to the point where we keep losing entire sprite types, many sprite sets are just plain unfinished or untested, and they insisted we move from sprites that people could somewhat take seriously to chibi/moe sprites that nobody on Earth can take seriously for an adventure game.
Another issue is that the series keeps releasing new versions that are incremental improvements at best, and they want us to pay a lot of money for each installment and half-sequel with said very few improvements, and also pay for a lot of content packs. There are things that should have been added 15 years ago and still aren’t here. They can’t even allow us to customize menus, and countless other issues. Honestly the dev team seems like they’re not very good at programming or art in the first place, and they’re just raking in money from incremental improvements over many decades. People try to excuse the engines’ lack of basic features with “but you can program it in Ruby/Javascript yourself!” Which is a really bad thing to rely on for a game-creation engine of this type.
I’m sure other people are annoyed by things I’m not even thinking of right now.
Nothing stops a game dev company from operating as a cooperative, and paying the employees their share of the full value of revenue, minus costs involved in production and distribution and presumably some amount of seed funding they all agree to set aside for the next project.
But then, splitting the revenue means splitting the risk. So if the game doesn’t sell enough to recoup costs then the workers get nothing.
The whole tradeoff of wage labor is that you agree to do a thing for an amount of pay, regardless of what the employer gains from that labor. You typically don’t get the full value of your labor, but are also insulated from business risks. If this usually didn’t pay off for the employer, then basically every business would be a co-op (because no one would be willing to pay someone to do a job if they weren’t willing to take a share of the risk), but successful co-ops of any scale are pretty rare which suggests a general unwillingness for workers to take on a share of the risks of the business.
Nothing stops a game dev company from operating as a cooperative
Apart from existing in a sea of capitalist companies than can ruthlessly outcompete them. Co-operatives don’t stand a chance.
paying the employees their share of the full value of revenue, minus costs involved in production and distribution and presumably some amount of seed funding they all agree to set aside for the next project.
That would only be feasible in a very small company, with sufficient profits to spread among the workforce.
But then, splitting the revenue means splitting the risk. So if the game doesn’t sell enough to recoup costs then the workers get nothing.
Yep, like I just said.
The whole tradeoff of wage labor is that you agree to do a thing for an amount of pay, regardless of what the employer gains from that labor.
I’d frame it as: you need money to live. Therefore, you suck it up and let someone exploit you so they can profit from your work, and give you scraps out of that profit.
You typically don’t get the full value of your labor, but are also insulated from business risks.
Those “business risks” only exist as a result of the same system that necessitates wage labour: capitalism. The risks generally have to do failing to increase growth and therefore going under due to lack of owner capital. A democratic economy has no owners, only a collective workforce who will together use their resources to fund the company and pay their own wages - this means there is no need for growth. That huge risk no longer exists.
If this usually didn’t pay off for the employer, then basically every business would be a co-op
That’s not even worth thinking about. We live in capitalism. Of course working with a capitalist model would work best - it’s the only way to ensure profits for the owners.
(because no one would be willing to pay someone to do a job if they weren’t willing to take a share of the risk)
You’re still assuming an owner. A democratic workplace wouldn’t have an owner - they’d all share responsibility for the business. And pay would be agreed democratically.
but successful co-ops of any scale are pretty rare which suggests a general unwillingness for workers to take on a share of the risks of the business.
No, it suggests that co-ops are ill-equipped to compete. It’s a moral decision, not a business one, and an incredibly risky one. Any company that isn’t willing to exploit its workers will be beaten out by one that is willing to do that, because the competitive, capitalist one will inevitably have more resources to throw behind it.
Think about this: for a company to be a co-op, it either has to be founded that way, or changed some time afterward. A company that runs in a traditionally capitalist way can only have fundamental changes happen at the behest of its owner; workers have no say how their business is run. This means that the small amount of co-ops has nothing to do with workers’ willingness to take risks. It has to do with owners not wanting to relinquish power and profit - an owner can only lose when transitioning to a co-op.
I’m not saying that Re-Logic should be a co-op. I’m saying our entire economic system demands that they exploit their workers.
My comment wasn’t aimed at Re-Logic precisely, and I admit I was only making assumptions. My assumption was that their company fit into the mold of how capitalist companies operate. If they are a co-op, and practise profit sharing, then I admit I was wrong in my assumption, but I hope you agree it’s an assumption closely related to the reality of capitalist economics.
EDIT: Re-Logic has an owner. Sorry, my original comment stands.
<span style="color:#323232;">Nothing stops a game dev company from operating as a cooperative
</span>
Apart from existing in a sea of capitalist companies than can ruthlessly outcompete them. Co-operatives don’t stand a chance.
Why not? Why do workers and owners being exactly the same set of people make it impossible to successfully develop games? This is an extra-important question to answer because a lot of these indie dev companies are a dozen or so people in total.
Could it be that the upfront costs, and the delayed nature of turning any profit at all (along with no profit being assured) means that getting paid a fixed amount to do game dev labor regardless of success is a safer option for most developers, rather than actually being a stakeholder?
<span style="color:#323232;">paying the employees their share of the full value of revenue, minus costs involved in production and distribution and presumably some amount of seed funding they all agree to set aside for the next project.
</span>
That would only be feasible in a very small company, with sufficient profits to spread among the workforce.
Most indie game devs ARE very small companies.
<span style="color:#323232;">But then, splitting the revenue means splitting the risk. So if the game doesn’t sell enough to recoup costs then the workers get nothing.
</span>
Yep, like I just said.
That’s the nature of dealing with a market economy - you make a thing or provide a service, there are costs involved in doing so, and if you earn more in revenue than your costs then you profit. If not, you don’t. Either way in a typical company it’s the owners that benefit or lose as a consequence, as paying employees to do a thing is one of those costs. In a co-op, those employees are the owners, and win or lose accordingly.
<span style="color:#323232;">The whole tradeoff of wage labor is that you agree to do a thing for an amount of pay, regardless of what the employer gains from that labor.
</span>
I’d frame it as: you need money to live. Therefore, you suck it up and let someone exploit you so they can profit from your work, and give you scraps out of that profit.
You don’t have to - you could go into business for yourself. Make a thing and sell that thing, and reap the full profits of your labor. This is an especially possible thing to do in the game development world where some of the largest games ever literally started as someone’s pet project or as soe other project that got trashed and repurposed. The Warcraft franchise (as in WoW) for example, started as an attempt at making a Warhammer RTS that Games Workshop wasn’t interested in. Sierra Online started as a couple making PC games at home. Notch sold Minecraft to Microsoft for 4 billion dollars, and it literally started as a one man project being sold on a cheesy looking website for a few bucks.
<span style="color:#323232;">You typically don’t get the full value of your labor, but are also insulated from business risks.
</span>
Those “business risks” only exist as a result of the same system that necessitates wage labour: capitalism. The risks generally have to do failing to increase growth and therefore going under due to lack of owner capital. A democratic economy has no owners, only a collective workforce who will together use their resources to fund the company and pay their own wages - this means there is no need for growth. That huge risk no longer exists.
Yes, yes, once there’s a communist revolution that actually results in “real” communism and thus utopia get back to me. But, umm, we’ve had several attempts at communist revolutions and they never seem to actually turn out that way, largely because of a combination of people being greedy (good luck fixing that) and communist revolutions tending to create the sort of power vacuums that lead to authoritarian takeovers in relatively short order. Although, under that system good luck creating games that don’t glorify the Party, because that is of course the purpose of all art.
Failing to increase growth is not necessarily a problem. Failing to generate revenue in excess of costs is a problem. The need for endless growth is specifically an issue for publicly traded companies, because the charter almost necessarily says the function of the company is to increase shareholder value, and shareholders are going to do whatever they have to do to increase both their dividends and hypothetical sale value of their shares as much as possible, because that is what most benefits them. The incentive model is a bit different for a co-op.
<span style="color:#323232;">If this usually didn’t pay off for the employer, then basically every business would be a co-op
</span>
That’s not even worth thinking about. We live in capitalism. Of course working with a capitalist model would work best - it’s the only way to ensure profits for the owners.
Of course it is worth thinking about.
You’ve got basically two scenarios - one in which a business owner assumes the risks of operating the business and pays workers an agreed upon wage regardless of the revenue that results. In this case the worker gets the same benefit for their labor no matter what, and the owner is attempting to get more value from the worker’s product than he paid for it in wages, supplies, and materials. If he does, he reaps the benefit and if he doesn’t he eats the loss.
In the other scenario, the workers and the owners are the exact same people. Meaning the workers assume the costs of operating the business and the risks that it won’t result in revenue in excess of those costs but also reaps the benefit if it does. Sometimes this occurs as a co-op, but more often as an entrepreneur in which someone starts a small business in the hopes that they can generate revenue in excess of their costs and thus profit.
<span style="color:#323232;">(because no one would be willing to pay someone to do a job if they weren’t willing to take a share of the risk)
</span>
You’re still assuming an owner. A democratic workplace wouldn’t have an owner - they’d all share responsibility for the business. And pay would be agreed democratically.
I’m assuming a free market instead of a centrally controlled economy. I’m specifically talking about the reason why we trend towards wage labor over entrepreneurs or co-ops, even in fields where the barriers to entry are as low as can be. Most of the workforce is unwilling to accept the financial risk of failing to generate revenue in excess of costs, and so sell their labor at some agreed upon fixed rate that they will receive regardless of month-to-month revenue for better or worse.
Why not? Why do workers and owners being exactly the same set of people make it impossible to successfully develop games? This is an extra-important question to answer because a lot of these indie dev companies are a dozen or so people in total.
Lot money divided by many people = little money
Lot money in one person not divided. Still lot
Thanks for coming to my ted talk
Also - didn’t say it made it impossible to develop a game. Nice go making weird assumptions, though.
You do realize indie devs consisting of one or two people are also businesses, right?
seems to me that there’s some sort of critical mass they need to achieve first before the fuckery sets in, small teams aren’t “evil” (yet) simply because they can’t be (yet)
EDIT I mean “evil” as in “we want profit above all else, let’s milk this cow dry until she dies”
They can’t send it if they haven’t stored it, that’s the proof. Whether temporary or not it’s a weakness and attack vector for obtaining unhashed passwords. And if they stored it, it should be immediately hashed at which point they can’t send it.
They can still send it while the value is in memory.
But it’s unlikely that emails are sent synchronously. At which point, it has to be added to a job queue somewhere which might not be in memory.
There is also the communication with that job queue, and logging along the way, and any email logging.
Email isn’t secure, either.
Plenty of website did this… more than a decade ago, and even then plenty of security conscious people writing blogs and posting on social media begging devs to stop doing this.
Can I discourage rolling your own password manager (like using a text doc or spreadsheet) and instead recommend what you hopefully meant, self-hosting your own password manager?
The only annoying part about the modern world is that you want to have that keepass file synchronized between devices, at which point you either go down the path of something like Synchthing (not mainstream user friendly) or you just end up asking yourself “fine, what cloud service do I trust to not go looking at my files?”
I always synced my database manually either directly over usb, or wifi (KDE Connect). I have to admit that it’s not really user friendly, but once I got used to it, it’s no problem at all.
And uploading it to any cloud service should be fine as long as it’s encrypted with a strong password. But that kind of defeats the point of an offline password-manager in my opinion.
Good advice only for tech-savvy and people who are interested in self-hosting. There’s so many things that can go wrong like improper backups and accidental networking problems.
Well, you can. But you have to be PERSONALLY hacked. At which point you’re at a level of risk equal to “will my house burn and my notebook full of passwords get lost?”
And here’s a reminder that trusting centralized service with high security access control is usually a bad idea.
I stay away from LastPass for the same reasons I stay away from TeamViewer. Security through obscurity on top of decoupling my security interests from others means other people being attacked is much less likely to cause me harm at the same time
Offline password managers like KeepassXC are a thing, plus self hosted remote storage like Nextcloud means you’re not worried about any third party interference
I use Pleasant Password Manager, which is keepass compatible. Big fan of offline cache with online sync for access anywhere with an internet connection on top of my phone offline
And at least for LastPass no passwords were compromised. Saying they “were hacked” and leaving the extent of the hack out implies something worse IMO, it’s misleading. The safes themselves are E2E encrypted so they also don’t have your password.
That said, my vote is to Bitwarden as it’s open source and allows self hosting if you think you’re a more reliable admin than they are. Open plus more choice is always better.
This is true, but they have your encrypted vault, and all the technical data to make unlimited informed attempts at cracking it. If you used LastPass, you definitely need to be changing passwords for your critical services at a minimum.
Just this month a link was made between $35 million in crypto being stolen and the 150 victims being LastPass users.
In 2022 Lastpass was compromised through a developer’s laptop and had customer data like emails, names, addresses, partial credit cards, website urls, and most importantly vaults stolen last year, and given they’re closed source, have no independent audits, and don’t release white papers, we have no idea how good their encryption schemes actually are nor if they have any obvious vulnerabilities.
In 2021, users were warned their master passwords were compromised.
In 2020 they had an issue with the browser extension not using the Windows Data Protection API and just saving the master password to a local file.
What will 2024 bring for LastPass? They were hacked, and there’s no reason to think they won’t see more breaches of confidential customer information and even passwords in the future. This is a repeated pattern, and I’d better trust a post-it-note on my monitor for security than LastPass at this point.
The only problem with their SSH agent is, if you store let’s say 6 keys and the server is set to accept a maximum of 5 keys before booting you, and the correct key happens to be key number 6, you can end up being IP banned.
This happened to me on my own server :P
That being said, my experience was using the very first GA release of their SSH Agent, so it’s possible the problem has been sorted by now.
Firefox is extremely easy to get your password from behind the *** if it autofills. Requires physical access, but literally takes seconds. Right click the field, inspect and change the field type from password to text.
On mobile I’m assuming. I personally don’t know a way to bypass the fingerprint locks. And if you’re also having Firefox create random difficult passwords, its significantly better than reusing the same one. So you’re probably a much harder target than the majority of people. I’d have to double check but I think even on desktop if you have a master password for Firefox and don’t just have logins auto filled you’re probably good there too.
It’s 2023, I really hope people are not using the same password in multiple places. Password managers solved this problem a decade ago. Use one, with multi factor auth on important sites like email.
I’ve used the same password for everything since 1991. If anyone’s cracked it, they haven’t attempted to get into my shit. Probably because there’s nothing worthwhile to steal.
First of all they wouldn’t know there’s nothing worthwhile until they got in. But most importantly if you’re using the same password for everything since 91 there’s around a 0% chance that password hasn’t been leaked. This means that a random person can have access to everything that you have that’s not 2fa protected without you even noticing. You said that no one tried to get into your things, how would you know? Most places don’t let you know when someone login successfully, and a lot of other places do so with an email which the attacker can quickly delete.
If you really use the same password for everything since a long while back anyone who knows your email address can get into anything yours, getting a hold of one of those password dumps is really easy, especially older ones.
if you’re using the same password for everything since 91 there’s around a 0% chance that password hasn’t been leaked
Plot twist, they’ve never had their password leaked due to never having a password.
They spend every last waking moment trolling through public or university libraries to find computers that people haven’t logged out of, and are still logged into social media, dialup modems, irc, bbs, mainframes, etc. It’s these accounts they make posts from.
Pretty lonely world when you only ever get to make one comment on one account at max like once a week. And then you never get to check the replies. You never get to check your email either, you don’t know if anyone has sent you and e-card for your birthday.
Oh and not to speak of constantly getting kicked out of those libraries once the librarians recognize you. To the point where you have to move to yet another city to have any online time again.
But hey, they’ve never had their password leak at least!
First of all they wouldn’t know there’s nothing worthwhile until they got in.
I mean, you can read all my comments and posts publicly, and social media accounts and such are just about the only thing I’ve ever had passwords for. 🤷🏻♂️
You finna steal my Lemmy account?
Security is only important when you give a shit about what can be taken without it.
Yeah some sites also dont have passwords, they just send a login link to your email every time.
I prefer passwords so I don’t have to go to my email to log in, but I understand it’s easier for some people to do it that way. Your email address becomes your identity then.
Oh, they are. I keep telling people to WRITE DOWN YOUR PASSWORDS, and NEVER use same password on two sites. They dont listen. Its a lot easier to just remember 1-4 variations of a password and use that than carry around a password notebook. And they think themselves safe.
I’m thinking most people shouldnt use passwords at all anymore. They are a huge point of failure because people are people. We need something else to be the norm. How can we make hardware keys or something the norm for logging in? Have everyone carry around a bankcard-like thing that fit into every computer where people need credentials. Would’nt that be safer while still being accessible and convenient?
There are yubikeys you can use to login, but it requires installing stuff on each computer you want to access. Nothing is simpler then passwords. :)
I used a yubikey for a while, they are alright, but I could only use it for logging on to a computer, not for logging into specific sites. Even though I guess that could be solved with a password manager integration.
Nothing is simpler than passwords. But we want something thats both simple and safe. Even for lazy people, tech-unsawy people, and people with bad memory.
What if every pc came with a jubikey-ish reader and every website supported a browser api for it? Probably not jubikey, but something that fit in a wallet like bank cards do (but also was an open tech so that anyone can implement and sell cards). Wouldn’t it be both safer and simpler than passwords? It would take some time to turn around of course but the same was probably the case for https, 2fa, ipv6, and tpm’s.
Those are called smart cards. Traditional smart cards needed centralized management of credentials, but FIDO2 smart cards exist that work like the keys. The reason tokens are more typically USB-based (or NFC) is every PC has USB, but most don’t have smart card readers.
FIDO2 can be used for passwordless log in on a few sites, but the site and browser need to support the feature (no extra installation). It sets a pin on the yubikey and when entered the key does all the authentication. It will likely be seen more as Apple “passkeys” gain more popularity, Windows and Android already have native support but don’t market as hard.
so your lemmy password would be ilovemypasswordLEMMY
and your reddit password would be ilovemypasswordREDDIT
that way they can keep their shitty password but it won’t be the same password on every site and they have an easy way to remember what the proper password is for the site they want to accesss
Still better than using the same password. My argument is if you can only convince them to do at least that, it’s better than every site using the same password
That’s horrible if you ever become the victim of a targeted attack. Compromise your password once on some random shitty site and they’ve got access to everything.
It’s also quite likely that incidents involving password dumps will have crackers filtering the dumped data looking for exactly passwords like this.
Oh, they are. I keep telling people to WRITE DOWN YOUR PASSWORDS, and NEVER use same password on two sites. They dont listen. Its a lot easier to just remember 1-4 variations of a password and use that than carry around a password notebook. And they think themselves safe.
Honestly, the best solution for this is a password manager and not a notebook. The average person is not going to come up with strong passwords on their own for every website. A password manager once setup can be more convenient than whatever they were doing before, so if you can get people to use one they’ll be in much better shape.
I’m thinking most people shouldnt use passwords at all anymore. They are a huge point of failure because people are people. We need something else to be the norm. How can we make hardware keys or something the norm for logging in? Have everyone carry around a bankcard-like thing that fit into every computer where people need credentials. Would’nt that be safer while still being accessible and convenient?
My understanding is that this is basically what the whole passkeys initiative is. I have sort of mixed feelings on it. Hardware tokens for logging in is great, but I worry about people stealing the hardware tokens from others. Mostly people are going to use their phones, though, which should have some other mechanism of authentication.
Just switched from starfield back to cyberpunk for the 2.0 update. It’s consuming my life again. When I finish the dlc I’ll switch back to starfield and let that consume my life.
Same here dude haha. Starfield was fun, but man has Night City just sucked me back in. I love Cyberpunk so much. I am looking forward to going back to Starfield at some point, it is a great chill out and vibe kinda game.
lemmy.world
Aktywne