I still enjoy Starfield after 60 hours and the enjoyment is even growing. I’m sick of pretending the game isn’t good, just because the hive mind decided so. It has flaws sure, but which game doesn’t?
Some environments are amazing and change so much by daytime or weather. I love this.
I still find it very good game. The upgrade systems could use a bit better of a tutorial but I respect a game that takes a minute for a player to figure out the puzzle. Because those are the games I like.
The Mantis puzzle was a bit painful but I got it after a few tries. But the game seems to have more to it. I am enjoying just traveling space and seeing what is out there.
Spaceship upgrades seem cool. The shipbuilder has a good potential for a sandbox deal if you get enough money. Unlocking and upgrading is intwinded with the story which is normal. The dialogue is a bit overwhelming at times, but it’s space Skyrim. I don’t know what people are up in arms about. It looks gorgeous. It’s fun most of the time. What do people want?
I like the game as a whole. I could name you shortcomings of nearly every aspect of the game yet as a whole I have a really good time.
Some quests have a too early ending or sudden dropoff, yet they were fun and the dialogues were good. Building your spacecraft is fun, despite the restrictions on how you can rotate stuff. The points of interest are often kind of lacking, but then on I’m in space and I don’t mind mostly “empty” planets as that’s what space is.
It’s actually kind of strange, because I don’t like No Man’s Sky. I find that game so boring and tedious. While Starfield is engaging to me. I wish the survival aspects of the game were a bit more, as they got nerfed too much. I’d like to prepare for the planet conditions.
I don’t like that unique weapon rewards aren’t unique other than a name/skin. But the overall weapon of the game are fun and I have many in my inventory that I barely use because I enjoy the ones I main. (Meaning I have enough for New Game+ as I just focus on laser and energy weapons at the moment)
The environment often shines at night, the weather looks great and I like the music creating a good synergy.
I found NPCs to be enjoyable too, while I’m sad I can’t put two NPC of Neon in my ship crew (the bagger girl and the gang girl, sorry I don’t have their names at hand)
Space battles are fun and not too hard but not too easy. (I play on hard difficulty though).
I have fun with the quests too. Just a few days ago I did a side mission with a rough AI, that I could solve peacefully with Ryujin dialogue options. I have yet to visit Chrimson Fleet and do most of the main story. I’m just at the beginning and there’s so much great stuff yet to happen.
Man I’m real tired of the constant negativity around new games. I rarely see positive stuff online.
You don’t like a game? Just move on. Hell, downvotes and move on. But leaving comments on things like screenshots about how idiotic a game is, man find something else to do.
I agree OP, it is a gorgeous game. The landscapes are incredibly striking
It does help those on the fence make a more informed decision whether to purchase or not. Just whitewashing with only positive reviews and comments is misleading and stifles innovation. Trolling and opinions without examples suck and should be ‘downvoted.’
BG3 has plenty of bugs but has glowing reviews for a new game. People should be able to voice their opinions without attacking other users and receive the same in return.
I have put in over 50 hours and enjoy this game, but would definitely NOT recommend it to someone who isn’t familiar with Bethesda’s other titles.
There’s a thousand places to leave negative reviews. I’m just annoyed at the “Hey look X game has a cool thing” and the immediate “You enjoy X game? You’re an idiot for finding enjoyment out of this, you’re stupid, look how cool I look for shitting on it”. It’s transparent and annoying.
Voice your opinions sure, but if all you do though is shit on people for enjoying something, then that’s a dick move.
I don’t think anybody is shitting on anyone. It’s a public forum and we’re all allowed to say what we think. How shallow would the discourse be if we were limited to only talking about things positively? Everyone has their own tastes. I played through and enjoyed cyberpunk a couple of months after launch at a time when it was roundly shat upon but it didn’t spoil the game for me.
I don’t think anybody is shitting on anyone It’s a public forum and we’re all allowed to say what we think How shallow would the discourse be if we were limited to only talking about things positively?
It doesn’t matter what you think. Try posting something positive about starfield - even in the Starfield community. You will get shat on. A lot.
The problem isn’t that negativity doesn’t have a space, its that positivity doesn’t have a space. If someone posts something positive and gets shit on, they’re going to be less likely to post positive things in the future. Or react to negativity with their own positivity. That’s how psychology works. We do a thing and get a shock, we’ll be less likely to do it again.
But more importantly, a lot of negative nancies on the internet love to defend yukking on other’s yums with lofty goals around “discourse” and “free speech”. But they seem to forget that’s not how the real world or human psychology works. This post isn’t looking for “discourse”. OP is just saying " wow this game has cool vistas" maybe hoping for some stories or reinforcement or fun conversations with other fans and you all are responding with “game sucks”. What is this “discourse” supposed to accomplish other than, at best piss off OP, and at worst tear down his enjoyment of the game.
I mean think about it. What if someone were showing off a coat they brought and like with some randos, and you waltz in and are like “that coat’s fucking ugly and you should feel bad about buying it.” What kind of discourse would you expect other than “the hell? Who asked you? Fuck off”.
Sure, we’re all entitled to post and reply what we want, but it won’t stop us from calling you an asshole. You want to shit on a game? Go for it, there’s plenty of hate circlejerks you can join in on.
I was specifically meaning that I didn’t think anyone was shitting on anybody here in this thread. I didn’t say the game sucked or that it’s fucking ugly or any of those other hyperbolic statements. I read somebody else’s thoughts on the game and provided my own. I agree the game can look very good, I said I really enjoyed some of the quests. I’m not a part of the starfield community, I’m not trying to piss on anybodies parade. I just like playing games and talking about games I’ve played.
Right, because the people who are paid to review the full game over hundreds of hours and have spent, in many cases, years, analyzing their biases and determining the right way to construct objective criticsm and have peer review editors to check their work…
Nah. Randos on the internet who have tendancy to form circlejerks for fake internet points and for minor doses of dopamine and who may or may not have even completed even a tiny portion of the game - that’s what I need to make an informed decision.
EDIT Lol at the coward downvotes with no replies. You know I’m right, you just don’t want to admit it.
Just makes me wonder if the same thing happens in other communities. Say someone posts a photo of a National Park, are there replies how they’ve hiked most of the trails at that park and decided it’s not worth visiting?
I can see both sides too, “well we are informing people about the cons of that park, so they aren’t eaten by the vicious bears!”. I get that, I do! People have an opinion they want to share, nothing really wrong with that. Does that understanding make it enjoyable for me as the person just sharing the photo? Not so much…😂
I wanted to love this game and it did suck me in for 30 or so hours. But once I realized none of the factions mean anything and you can just join up with conflicting factions and kill whoever you want and then just pay off bounty I lost all fucks. What’s the point of being space pirate if I can just kill other space pirates with no penalty, and then go become a freestar ranger and a UC shill and still be a pirate somehow and nobody cares? It’s idiotic
I played for 80 hours or so, I really wanted to like it. I could forgive the sometimes humorous bugs and the endless loading screens if it wasn’t so boring. Some of the side quests were OK but ultimately it’s just not enough to keep me coming back.
I can never tell if comments like this are a joke. Starfield has tons of issues, don’t get me wrong, but I’m still playing it because I’m having fun. Why put 80 hours into something if you aren’t enjoying it?
Personally if I’m not having fun in a game, I’d just stop after a few hours.
I didn’t hate it, as I said there were parts I enjoyed. I did all the faction quests and maybe 70 percent of the main story and just came to the realisation that I was finding it a bit of a chore. If I wasn’t having any fun I’d have quit earlier but as I say it just became dull to me. If you’re having fun more power to you, different people like different things.
The only conflicting factions I can think of are the Crimson Fleet and UC Navy, but even then you aren’t going around telling everyone you are a pirate.
Just played the Lamplighters League demo and liked it quite a bit. Only bummer is that it does not play well on steam deck, so I will hold off for a while.
Recently played Titanfall 2 and bought the Muse Dash DLC, and man this has been the most fun ride I’ve been in a while.
First off, Muse Dash. I’ve bought the base game a long while ago and pretty much cleared all of the hard content it had to offer. Due to the recent controversy, I jumped the gun and bought the DLC earlier than I would have liked, but I did plan on getting it at some point so its not a complete bummer. The main draw of the DLC for me was mainly more content since base game is reeeally small - specially if you are experienced at the game or genre as a whole, and the mods. The mods along with custom charts made the game way more compelling than before. Bless the good people who do game mods, they are actual gods.
Then we arrive at Titanfall 2. To be honest, I did not expect it to run on my i3 potato laptop, but it did… and I got addicted, clocking in 30 hours in like a week and a bit. The campaign is good, the multiplayer is amazing once it clicks, and now I’m replaying the campaign again for the collectibles. It is a genuine breath of fresh air as the majority of multiplayer/online games that I play involve live service stuff, gacha and tedious grind, and I’m not interested in mainstream competitive stuff either with ELO ranking and keeping up with metas. Here I can enjoy fragging to my heart’s content and casual competition without the baggage modern gaming entails (battlepass progression, ranked, FOMO, etc.). And even if I get beat by someone better, I view it as a challenge and not pure BS (I’m looking at you War Thunder).
I beat Kingdom Hearts 2 last week, so I’m just starting Kingdom Hearts: 358/2 Days. Taking a bit of a break though, so might not end up getting to it until next week.
While sending your password in plaintext over email is very much a bad idea and a very bad practice, it doesn’t mean they store your password in their database as plaintext.
Point is, a hash isn’t a password. giving the most you don’t need tech knowledge analogy, it’s like the passwords fingerprint.
The police station may keep your daughters fingerprint so that if they find a lost child they can recognize it is your daughter beyond any doubt. Your daughters fingerprints, is like a hash, your daughter is a password.
The police should not store your daughter… that’s bad practice. The fingerprints are all they should store, and needless to say the fingerprints aren’t your daughter, just as a hash isn’t a password.
It’s possible that this email is a result of forum user creation, so during that submission the plaintext password was available to send to the user. Then it would be hashed and stored.
I’m just explaining how user authentication works for most web applications. The server will process your plaintext password when your account is created. It should then store that as a hashed string, but it can ALSO send out an email with that plaintext password to the user describing their account creation. This post does not identify that passwords are stored in plaintext, it just identifies that they email plaintext passwords which is poor security practice.
You’re correct and after reading more of the thread I saw OP say this was sent immediately after registering. I don’t have reason to believe it is stirred in plaintext unless they’re storing s copy of every email they send.
That’s very unlikely. It’s running UBB Threads, which, from what I can tell, has an auth subsystem, which au minimum would do hashing. If it’s providing you with a default at sign-up, that’s different and is what appears to be a configurable setting.
If it is completely generated for you, here’s what probably happening:
User creation module runs a password generator and stores this and the username in memory as string variables.
User creation module calls back to storage module to store new user data in db, including the value of the generated password var.
Either the storage module or another middleware module hashes the password while preparing to store.
Storage module reports success to user creation.
User creation module prints the vars to the welcome template and unloads them from memory.
TL;DR as this is running on a long-established commercial php forum package, with DB storage, it is incredibly unlikely that the password is stored in the DB as plaintext. At most it is likely stored in memory during creation. I cannot confirm, however, as it is not FOSS.
Yeah if they send the password in an email in plain text that’s not storing it. You can send the email before you store the password while it’s still in memory and then hash it and store it.
Stored in memory is still stored. It’s still unencrypted during data processing. Still bad practice and a security vulnerability at best. Email isn’t E2E encrypted.
You have the text input feed directly into the encryption layer without an intermediary variable. The plaintext data should never be passable to an accessible variable which it must be to send the plaintext password in the email because it’s not an asynchronous process.
I’m surprised so many people are getting hung up on basic infosec.
The front end to backend traffic should be encrypted, hashing occurs on the backend. The backend should never have access to a variable with a plaintext password.
I’m going to have to stop replying because I don’t have the time to run every individual through infosec 101.
how long have you been a web developer? Because I’ve been doing it for six years and almost every web app I’ve ever seen uses http with TLS to send the plaintext password to the backend, where it’s popped into a request var at the controller level, then passed as an instance var to the service level, salted, hashed and stored. This includes apps that have to submit themselves for HIPAA compliance because they deal with PHI.
Maybe I’m misunderstanding you, but backend servers will almost always have the user-submitted password in plaintext as a variable, accessible to the backend server and any upstream proxies.
It’s even how it’s done in Lemmy. The bcrypt verify accepts the plaintext password and the expected salted hash.
I haven’t looked into it but I was wondering about the logistics of setting up a federated honeypot for server side stream sniffing to build a plaintext email/password database.
Not without compromised certificates they haven’t. You can tell because if they did they’d be world famous for having destroyed any and all internet security. Then again, they’d probably already be famous for having figured out a way to salt, hash and store passwords without ever holding them in memory first like they claim to do above, so maybe someone is lying on the internet about their vague “proprietary network protocols”.
Man, you sound like you’re just using random words you heard in class. Clearly you have no clue how user registration actually works, let alone backend development.
There are ways to have passwords transmitted completely encrypted, but it involves hitting the backend for a challenge, then using that challenge to encrypt the password client side before sending. It still gets decrypted on the backend tho before hash and store.
I asked because what you’re describing doesn’t do much if you understand how common web frameworks and runtime environments work.
The framework needs to parse the HTTP request. That means holding the parameters in a variable somewhere just to arrange them in a datastructure for processing.
But let’s ignore that and say we have some kind of system that stream parses the request right out of the buffer (which itself still needs to be held in memory for a bit, but let’s ignore that), and when it matches a preconfigured password parameter, passes it directly to the hashing system and nowhere else. I don’t think any framework in existence actually does this, but let’s run with it.
We’ll still need to pass that value by whatever the language uses for function passing. It will be in a variable at some point. Since we rarely write in C these days unless we have to, the variable doesn’t go away in the system until the garbage collection runs. Most systems don’t use ref counting (and I think it’s a mistake to disregard the simplicity of ref counting so universally, but that’s another discussion), so that could happen whenever the thread gets around to it.
But even if it runs in a timely fashion, the memory page now has to be released to the OS. Except most runtimes don’t. First, the variable in question almost certainly was not the only thing on that page. Second, runtimes rarely, if ever, release pages back to the OS. They figure if you’re using that much memory once, you’ll probably do it again. Why waste time releasing a page just to make you spend more time getting it again?
And we’re still not done. Let’s say we do release the page. The OS doesn’t zero it out. That old variable is still there, and it could be handed over to a completely different process. Due to Copy on Write, it won’t be cleared until that other process tries to write it. In other words, it could still be read by some random process on the system.
And we haven’t even mentioned what happens if we start swapping. IIRC, some Linux kernel versions in the 2.4 series decided to swap out to disk ahead of time, always having a copy of memory on disk. Even if you’re not running such an ancient version, you have to consider that the kernel could do as it pleases. Yeah, now that var potentially has a long lifespan.
To do what you want, we would need to coordinate clearing the var from the code down through the framework, runtime, and kernel. All to protect against a hypothetical memory attack. Which are actually quite difficult to pull off in practice. It’d be easier to attack the client’s machine in some way.
And on top of it, you’re running around with an undeserved sense of superiority while it’s clear you haven’t actually thought this through.
Yes. I agree 100% with the things I can and I defer to your experience where I can’t. I used to write proprietary networking protocols 20 years ago and that’s the knowledge and experience I’m leaning on.
As a matter of practice we would ensure to process passwords by encrypting the datasteam directly from the input, and they were never unencrypted in handling, so as to protect against various system and browser vulnerabilities. It would be a big deal to have them accessible in plaintext beyond the user client, not to mention accessible and processable by email generation methods and insecure email protocols.
I’m going to have to stop replying because I don’t have the time to run every individual through infosec 101.
Sorry, but you’re missing the point here. You cannot do anything with a password without storing it in memory. That’s not even infosec 101, that’s computing 101. Every computation is toggling bits between 1 and 0 and guess where these bits are stored? That’s right: in memory.
The backend should never have access to a variable with a plaintext password.
You know how the backend gets that password? In a plaintext variable. Because the server needs to decrypt the TLS data before doing any computations on it (and yes I know about homomorphic encryption, but no that wouldn’t work here).
Yes, I agree it’s terrible form to send out plain text passwords. And it would make me question their security practices as well. I agree that lots of people overreacted to your mistake, but this thread has proven that you’re not yet as knowledgeable as you claim to be.
You encrypt the datastream from the text input on the client side before storing it in a variable. It’s not rocket science. I did this shit 20 years ago. Letting a plaintext password leave the user client is fucking stupid.
there is no possible way to handle sensitive data without storing it in memory at some point
it’s where you do all the salting, hashing, and encrypting
emailing out credentials like this after sign up is certainly not best practice, but probably not a huge deal for a video game forum of all things. if you are re-using passwords then you already have a way bigger problem.
emailing out credentials like this after sign up is certainly not best practice,
Understatement of the year right here. Everyone in this thread is more interested in dunking on OP for the few wrong statements they make rather than focusing on the fact that a service is emailing their users their password (not an autogenerated “first time” one) in plaintext in an email.
there is no possible way to handle sensitive data without storing it in memory at some point
Since we’re nitpicking here - technically you can. They could run hashing client side first, and instead of sending the password in plain-text, you’d send a hashed version
This opens up the possibility of replay attacks in the case of data breaches, though, and those are much more common than http mitm attacks (made even less likely with the proliferation of https).
I’m not entirely sure whether hashing twice (local and server) is wise, having not thought through that entire threat vector. Generally I try to offload auth as much as I can to some sort of oauth provider, and hopefully they’ll all switch over to webauthn soon anyway.
I’m not really sure how it opens up replay attacks, since it doesn’t really change anything to the default auth. There are already sites that do this.
The only difference is that instead of sending an http request of { username = “MyUsername”, Password = “MyPassword” } changes to { username = “MyUsername”, Password = HashOf(“MyPassword”) } - and the HashOf(“MyPassword”) effectively becomes your password. - So I don’t know how that opens up a possibility for replay attack. There’s not really any difference between replaying a ClearText auth request vs an pre-hashed auth request. - Because everything else server side stays the same
(Not entirely auth related), but another approach of client side decryption is to handle decryption completely client site - meaning all your data is stored encrypted on the server, and the server sends you an encrypted container with your data that you decrypt client side. That’s how Proton(Mail) works in a nutshell
I’m not really sure how it opens up replay attacks
Put simply, jt allows an attacker with a leaked database to use the hashed password as a password. In your original comment, it seemed like you were suggesting hashing only before transmission, on the client; but hashing both before and after would indeed patch that particular vulnerability. I don’t know if there are potential problems with that strategy or not.
another approach of client side decryption is to handle decryption completely client site
Here’s potentially an opportunity for me to learn: how does such a service (like Proton Mail) perform this in a web browser without having access to the data necessary to decrypt all of the data it’s sending? Since you can’t count on a web browser to have the private key, do you send down an encrypted private key that can only be decrypted with the user’s password? Is there some other way to do this that I’m not aware of?
In your original comment, it seemed like you were suggesting hashing only before transmission
Ok, that wasn’t what I was suggesting, no. That would effectively make your password hash the password itself - and it would kinda be stored in PlainText on the server, if you skip the client auth and send that value to the server directly through the api or something
how does such a service (like Proton Mail) perform this in a web browser without having access to the data necessary to decrypt all of the data it’s sending? […] do you send down an encrypted private key that can only be decrypted with the user’s password?
Yes, pretty much. I can’t really find a good, detailed explanation from Proton how it exactly works, but LastPass uses the same zero-knowledge encryption approach - which they explained with some diagram here - with a good overview of the client/server separation of it’s hashing.
I’m playing Valkyria Chronicles. I think I’m about to finish the main story, though I have to tackle most of the extra content still (skirmishes and DLC maps).
It’s a bit strange, but once you stop looking at it as a strategy game, it becomes apparent that it’s actually a puzzle game in disguise, asking you to clear all scenarios in the most time efficient way, which usually translates to very precise troop placement and attacking enemies in a specific order.
I already played VC4 last year and it was a blast. VC1 has a bit less content and the QoL features from the sequel are sorely missing, but it’s still a lot of fun.
Nice. Personally only played VC1 and currently on VC2 (on a break though). All I can say so far is that the game series is a rough gem, fun but a bit unbalanced. VC2 is better in that aspect though, and I would assume the later games are as well.
I can’t speak about VC2 and 3, but 4 is pretty much the same as 1. The unbalanced nature of the game is part of the fun, for me. And if you’re willing to play the missions “as intended” instead of cheesing them with the attack-boosting orders, imo they provide quite the challenge (especially late-game VC4).
If I ever revisit 1, I’ll definitely play it with a rebalance mod, not sure on which since there’s like 3 of them.
While killing a tank with a scout is funny, it cheapens the gameplay. Personally I’m the kind that gravitates to metas, not to the point of obsessive min max, but it’s enough to sour the experience if it’s particularly busted like in the first game. Doesn’t help that the ranking system only cares about speed making it sort of necessary to exploit if you want a good result :/
no, they probably dont.
they just send it to your email upon registration, which is kinda a bad idea, but they are probably storing passwords hashed afterwards.
I’ve never even heard of the game studio I’m not defending them, I was replying to the person who said the company should never have your unhashed password, and explaining that they have to at some point in the process
I wonder how much this varies depending on the amount of data it would require to store the emails of a company. I know nothing about this subject, but does it occur where companies with very large email lists would forgo storing those types of emails to save data costs?
In my experience it varies a lot. Even in our own system certain emails are stored differently. There are a few “we legally have to deliver this email and might need to prove it later” notifications. We store a PDF of those in s3. For others we might just save the data, a sent timestamp, and a key for which email visual template was used.
I also thought of a counter argument to my point overnight. We don’t store one super duper high volume email which is the email that only has an MFA code. We would also absolutely never ever dream about allowing a plaintext password in an email, so we’re probably following different patterns in the first place.
I find that very hard to believe. While it is less common nowadays, many, if not most, mailing list and forum software sent passwords in plaintext in emails.
A lot of cottage industry web apps also did the same.
passwords are usually hashed server-side tho and that’s done for a reason.
if handling passwords correctly, server side hashing is way more secure then client-side. (with client side hashing, hash becomes the password…)
Is it though? While it certainly isn’t something I’d recommend, and I’ve encountered it before, if E2E encryption exists we cannot assume a data exposure had occurred.
What they do on the backend has nothing to do with this notification system. Think of it as one of these credentialess authentication systems that send a ‘magic link’ to your inbox.
You can also tell if a site does this when they have seemingly arbitrary restrictions on passwords that are actually database text field restrictions.
Especially if they have a maximum password length. The maximum password length should be just the maximum length the server will accept, because it should be hashed to a constant length before going into the database.
I recently created an Activision account during a free weekend event and discovered their password system is completely broken. 30 character limit but refused to accept any more than 12 characters. Kept erroring out with must be less than 30. Once I got it down to 12 it accepted that, but then it complained about certain special characters. Definitely not giving them financial information.
My bank has a character limit, but they don’t tell you about it; they just trim the password you’ve set before hashing + saving it, then when you go to login if you don’t trim your password the same way they did, login fails.
I only know this because the mobile app will actually grey out the login button as soon as you enter more than the character limit. The web app just leaves you to be confused.
I had a similar situation with my health insurance company, except I think they added the character limit a while after I had set my password T_T. So, it worked for months, then they changed the mobile app so I couldn’t enter a long password… And then eventually they changed the website too and then I couldn’t log in at all. Thaaaaanks.
Doesnt lemmy also do it? I think I ve heard from Ruben at Boostforlemmy that lemmy only treats first 60 characters of your password as a password and the rest gets discarded. [citation needed]
Can’t say I’ve ever tried to use a password quite that long, so I’m not sure.
Not ideal, but trimming it (especially when you’re keeping 60 chars) isn’t the end of the world. It was just super confusing that the web app doesn’t trim it during login as well. There’s no indication that your password was modified or what you’ve entered to login is too long. Just ‘incorrect user/pass’ despite entering what you’ve just set. That char limit for my bank is only 16 chars, so it’s easy to hit.
It’s a big deal IMO, particularly because at login it doesn’t do the same. From the user perspective, your password has effectively been modified without your knowledge and no reasonable way of finding out. Good luck getting access to your account.
When a bank does this it should be considered gross negligence.
The official web UI doesn’t let you enter more than 60 characters, but doesn’t indicate that at all. So you can keep typing past 60 characters but it won’t get added to the input field and you can’t really see that. If you paste a password into the field, it gets trimmed to 60 characters.
When creating a password, the server checks that it isn’t longer than 60 characters and returns an error if so. On login, however, it silently trims the password to 72 bytes, because that’s what the hashing algorithm they use supports.
My bank if you get your card number through the app has a dynamic ccv that changes every day so while not perfect is what I use whenever purchasing online
Especially if they have a maximum password length.
Not really, there are good reasons to limit password length. Like not wanting to waste compute time hashing huge passwords sent by a malicious actor. Or using bcrypt for your hashes, which has a 72 byte input limit and was considered the best option not that long ago. The limit just has to be reasonable; 72 lowercase letters is more entropy then the bcrypt hash you get out of it, for example.
Yes, reasonable limits are fine, I was talking more like 12 or 13 characters max. That’s probably indicative of a database field limit, and I’ve seen that a fair amount because my password manager defaults to 14 characters.
It’s 2023, I really hope people are not using the same password in multiple places. Password managers solved this problem a decade ago. Use one, with multi factor auth on important sites like email.
I’ve used the same password for everything since 1991. If anyone’s cracked it, they haven’t attempted to get into my shit. Probably because there’s nothing worthwhile to steal.
First of all they wouldn’t know there’s nothing worthwhile until they got in. But most importantly if you’re using the same password for everything since 91 there’s around a 0% chance that password hasn’t been leaked. This means that a random person can have access to everything that you have that’s not 2fa protected without you even noticing. You said that no one tried to get into your things, how would you know? Most places don’t let you know when someone login successfully, and a lot of other places do so with an email which the attacker can quickly delete.
If you really use the same password for everything since a long while back anyone who knows your email address can get into anything yours, getting a hold of one of those password dumps is really easy, especially older ones.
if you’re using the same password for everything since 91 there’s around a 0% chance that password hasn’t been leaked
Plot twist, they’ve never had their password leaked due to never having a password.
They spend every last waking moment trolling through public or university libraries to find computers that people haven’t logged out of, and are still logged into social media, dialup modems, irc, bbs, mainframes, etc. It’s these accounts they make posts from.
Pretty lonely world when you only ever get to make one comment on one account at max like once a week. And then you never get to check the replies. You never get to check your email either, you don’t know if anyone has sent you and e-card for your birthday.
Oh and not to speak of constantly getting kicked out of those libraries once the librarians recognize you. To the point where you have to move to yet another city to have any online time again.
But hey, they’ve never had their password leak at least!
First of all they wouldn’t know there’s nothing worthwhile until they got in.
I mean, you can read all my comments and posts publicly, and social media accounts and such are just about the only thing I’ve ever had passwords for. 🤷🏻♂️
You finna steal my Lemmy account?
Security is only important when you give a shit about what can be taken without it.
Yeah some sites also dont have passwords, they just send a login link to your email every time.
I prefer passwords so I don’t have to go to my email to log in, but I understand it’s easier for some people to do it that way. Your email address becomes your identity then.
Oh, they are. I keep telling people to WRITE DOWN YOUR PASSWORDS, and NEVER use same password on two sites. They dont listen. Its a lot easier to just remember 1-4 variations of a password and use that than carry around a password notebook. And they think themselves safe.
I’m thinking most people shouldnt use passwords at all anymore. They are a huge point of failure because people are people. We need something else to be the norm. How can we make hardware keys or something the norm for logging in? Have everyone carry around a bankcard-like thing that fit into every computer where people need credentials. Would’nt that be safer while still being accessible and convenient?
There are yubikeys you can use to login, but it requires installing stuff on each computer you want to access. Nothing is simpler then passwords. :)
I used a yubikey for a while, they are alright, but I could only use it for logging on to a computer, not for logging into specific sites. Even though I guess that could be solved with a password manager integration.
Nothing is simpler than passwords. But we want something thats both simple and safe. Even for lazy people, tech-unsawy people, and people with bad memory.
What if every pc came with a jubikey-ish reader and every website supported a browser api for it? Probably not jubikey, but something that fit in a wallet like bank cards do (but also was an open tech so that anyone can implement and sell cards). Wouldn’t it be both safer and simpler than passwords? It would take some time to turn around of course but the same was probably the case for https, 2fa, ipv6, and tpm’s.
Those are called smart cards. Traditional smart cards needed centralized management of credentials, but FIDO2 smart cards exist that work like the keys. The reason tokens are more typically USB-based (or NFC) is every PC has USB, but most don’t have smart card readers.
FIDO2 can be used for passwordless log in on a few sites, but the site and browser need to support the feature (no extra installation). It sets a pin on the yubikey and when entered the key does all the authentication. It will likely be seen more as Apple “passkeys” gain more popularity, Windows and Android already have native support but don’t market as hard.
so your lemmy password would be ilovemypasswordLEMMY
and your reddit password would be ilovemypasswordREDDIT
that way they can keep their shitty password but it won’t be the same password on every site and they have an easy way to remember what the proper password is for the site they want to accesss
Still better than using the same password. My argument is if you can only convince them to do at least that, it’s better than every site using the same password
That’s horrible if you ever become the victim of a targeted attack. Compromise your password once on some random shitty site and they’ve got access to everything.
It’s also quite likely that incidents involving password dumps will have crackers filtering the dumped data looking for exactly passwords like this.
Oh, they are. I keep telling people to WRITE DOWN YOUR PASSWORDS, and NEVER use same password on two sites. They dont listen. Its a lot easier to just remember 1-4 variations of a password and use that than carry around a password notebook. And they think themselves safe.
Honestly, the best solution for this is a password manager and not a notebook. The average person is not going to come up with strong passwords on their own for every website. A password manager once setup can be more convenient than whatever they were doing before, so if you can get people to use one they’ll be in much better shape.
I’m thinking most people shouldnt use passwords at all anymore. They are a huge point of failure because people are people. We need something else to be the norm. How can we make hardware keys or something the norm for logging in? Have everyone carry around a bankcard-like thing that fit into every computer where people need credentials. Would’nt that be safer while still being accessible and convenient?
My understanding is that this is basically what the whole passkeys initiative is. I have sort of mixed feelings on it. Hardware tokens for logging in is great, but I worry about people stealing the hardware tokens from others. Mostly people are going to use their phones, though, which should have some other mechanism of authentication.
lemmy.world
Gorące