Comment by fsckboy
2 days ago
>I don’t believe it but
you have to believe it, it's true, you just think it's not the greatest threat or that the response to mitigate it (for example, using a pattern of temporary passwords to facilitate remembering them) would be worse than the disease.
No, like I don’t believe the math. It’s not about not wanting to believe the math. I don’t believe the mathematical conclusion is practically true even if there may be something theoretically interesting to talk about, like the monty hall problem.
if it causes 90% of people to just enter a simpler password, out of frustration and “fatigue”, then this is irrelevant IMO. Theory doesn’t take into account human behavior.
It’s especially annoying when a company enforces these brain dead policies on employees. You want people to waste mental effort changing their passwords by 1 letter every 3 months, just to appease some IT manager? Give me a break lol.
I’d rather have a long complex password that i remember and remember ONCE.
That's what baffles me. Somehow security NEVER acknowledges that security theater, cognitive overload and constant friction makes users more inclined to make bad decisions, repetition over months make this even worse.
Hackers need just one chain of tired persons to breach a system. Sometimes length(chain) = 1, that's when bad things happen.
Anecdotal PS: I used to work at a bank and had to rotate my password monthly (sometimes even more, because there were unfederated systems that required another password, also with rotation). Eventually all my passwords became [short STRING] + [autoincremental INT]. We had MFA, so it didn't matter that much, but that makes it even more hilarious.
I think directly caused by the fact that at large companies, the best way to get ahead is to be seen as doing things. It doesn't matter if those things are completely harmful, so long as they sound good. With password changes you now have company wide visibility, with regularity, doing something that to somebody who's not thinking much would probably be suggestive of doing a very thorough job.
For most people, writing (most of) their password on a piece of paper that they keep in their wallet would be pretty good security.
Paper can't be hacked, and writing down the password allows for more complicated passwords. In case someone gets access to your wallet, you still keep a portion of the password not written down.
(And if someone gets physical access to your stuff, you are hosed in general, because they can just install a keylogger. So even keeping your password fragment on a post-it under your keyboard would be fine-ish.)
It really depends on what password. At home our wifi password is on a paper, right there on the office board. If you landed in the room, I won't feel more in security if you need other actions to get the password out of me.
1 reply →