In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
This shit pisses me off so bad. I had an identity theft a few years back, took ages to undo, and my credit score is still impacted by it. At the time I moved to a password manager and all my passwords are 31 characters of garbage. I’ve got several, highly sensitive accounts that my passwords don’t work for, in fact one a bank, until fairly recently, had repurposed a phone number field in the DB so passwords were limited to 10 characters numeric only (I managed to get one of their IT folks on the horn to explain why the password was so awful).
I cannot believe we live in 2025 and we still haven’t figured out passwords.
My bank forces a 6 digit PIN as a password.
Their 2fa is also email or text only.
At least we can set a unique username?
Meh, if they lock you out after X attempts, then 6 digits is fine. Hell, even 4 digits is fine if they have a lockout-policy.
Do they have a limit on attempts?
So long as attempts aren’t per IP and or ipv6 isn’t allowed
And as long as they don’t have an unknown database leak, negating the attempt limit.
Yeah, I’m up to 40 hide my addresses for that same reason. Figure if the password sucks, at least the email can be unique and obscure.
I just use a catch-all email domain. It’s functionally similar to a hide-my-email address, except the email addresses are much easier to read and remember.
Every single email that hits my domain goes to the same inbox. So Target@{my domain} and Walmart@{my domain} both hit the same inbox. And if I start seeing spam addressed to Target@{my domain} then I know Target sold my info. I can easily filter everything to that address straight to spam, with the exception of any senders ending in “@target.com”
It means my shit gets automatically sorted into neat little folders before it ever even hits my inbox. I can still get the birthday coupons, while all of the spam quietly vanishes into the spam inbox abyss.
I used to do this, but then why revealing even my domain. I have bitwarden integrated with simplelogin, and I get [email protected]
This way I can easily filter with prefix matching (if I want to), but don’t reveal anything at all about me. Also much easier to be consistent, block senders etc. Plus, I can send emails from all those addresses if I ever need (e.g., support).
I had delusions of trying to keep track of which address is sold by who which is why I did the hide my email addresses. But I’ve always kept separate personal and spam accounts. This was my attempt at combining to a single account.
https://xkcd.com/927/
168! Don’t hold back - everything gets a unique email address, a generated password, unique username and profile info.
It’s only the damn phone number that can be used to connect my data. Can’t do anything about that.
I have a google voice number for that. Most things no longer accept it though.
We have figured out passwords. Management hasn’t figured out allocating resources to security, and governments haven’t figured out fining the crap out of such companies.
Is there any specific reason to using 31 random characters instead of 32?
I’m not the one you’re asking, but I’ve had a case where using the maximum number lead to login issues. A character less did not have issues. Must have been an off-by-one implementation issue (maybe a text terminator character). 32 is a power of two number. Seems like a reasonable approach to evade such issues categorically - at the cost of a character by default of course.
Yes, haha, I saw your other comment about this off-by-one issue. Interesting that it happens at all.
Illogical meat brain that thinks odd numbers are more random that even I guess.
all our banks and government systems and may online services work on a governments own 2fa, and there are several variants. They are linked to phone and require inputting Pins. Very comfortable, very secure and very convenient. Also very fast.
Don’t get me wrong, there are systems that work. I built up a very successful smart card based system many years ago after a failed audit. I initially hated the idea but in the end we built a crazy secure environment that was very easy to use and maintain. That project is long since obsolete but after doing that one, over a decade ago, I figured things were headed in the right direction.
I think I’m extra sensitive right now because my aging mom has made the issue acute. She’s not the same as she was a few years ago and helping her with all her online accounts has become a nightmare. It’s just too complicated for many folks.