96
Hackers know half of passwords entered online, Cloudflare finds (cybernews.com)
submitted 1 month ago by tfm@europe.pub to c/privacy@lemmy.ml
31 comments fedilink hide all child comments
top 31 comments
sorted by: hot top controversial new old
[-] furrowsofar@beehaw.org 39 points 1 month ago* (last edited 1 month ago)

I wonder how much of this stems from two stupid IT policies. For decades users have been told to not write down passwords and to change them regularly. The result of this policy is to use a small number of password variations that one reuses. Then IT complaims about it.

The better plan has always been to use long random passwords that you never reuse and write them down by some method like a password manger and only change them rarely for example when they may be compromised,

[-] HubertManne@piefed.social 7 points 1 month ago

I remember asking my company if they have official password management software in my job before my last job. They did not. I can't believe we have all this specific software to be used at the company but they don't put some time to identify what they want employees to use for this. Funny thing is security teams are such big deals but I think they actually don't want to get involved in case it does not work out.

[-] furrowsofar@beehaw.org 2 points 1 month ago

Lot of security is theater. IT doing a CYA thing.

[-] psud@aussie.zone 5 points 1 month ago

My workplace has finally gone to passphrases and 1 year password life, which is nice as it's a password I often need to type, so I'd rather 20 easy to type and memorise chars than 16 random

[-] furrowsofar@beehaw.org 1 points 1 month ago* (last edited 1 month ago)

The missleading thing about passphrases is that anything a human can remember is low entropy. That it has 20 charachers says nothing about how random.

Edit: I also wonder how much randomness is really needed. Properly salted and hashed passwords shoud not need that much randomness. Lot of this is about users just choosing bad passwords, reusing, and IT not properly salting and hashingon their end.

[-] psud@aussie.zone 2 points 1 month ago

Are you sure you can't make a high entropy memorable password?

My scheme pulls four words at random from a large corpus

[-] furrowsofar@beehaw.org 0 points 1 month ago

Just compare the number of possibilities. Number of words to the 4th power to 94 to the 15th power. Your copus would have to be 25 million words. In contrast, there are about 800K words in the english language and about 1000 commonly used words.

[-] Blue_Morpho@lemmy.world 30 points 1 month ago

Which half? The hunt half or the er2?

[-] Strobelt@lemmy.world 17 points 1 month ago

What parts? I only see "The **** or the ***?"

[-] Dima@feddit.uk 12 points 1 month ago

The "correcthorse" part

[-] Jumuta@sh.itjust.works 20 points 1 month ago

yeah because half of them are 1234

[-] shortwavesurfer@lemmy.zip 20 points 1 month ago

I'm glad I've been using a password manager for several years now.

[-] mac@lemm.ee 10 points 1 month ago

Yeah I think I've got 600 distinct logins in my bitwarden at this point, lol.

[-] furrowsofar@beehaw.org 5 points 1 month ago* (last edited 1 month ago)

This is a great example of how impossible it is not write down usernmes and passwords and how infeasible forcing changes is.

The other thing people do not talk about enough is user names. They should be somewhat random too and not reused. Forcing people to use their email address is particularly stupid but very common.

[-] mac@lemm.ee 3 points 1 month ago

Yep, before I switched to a password manager in college I had 3-4 passwords I would use across all accounts, and I would constantly need to recover accounts because I would forget the PW.

I actually don't remember the last time I needed to recover an account. Having a password manager has been a massive time savings for me.

[-] nothacking@discuss.tchncs.de 18 points 1 month ago

https://xkcd.com/936/

[-] UltraGiGaGigantic@lemmy.ml 16 points 1 month ago

[-] ArtificialHoldings@lemmy.world 7 points 1 month ago

I would do the word jumble suggested by xkcd, but so many websites require numbers, special characters, and disallow spaces that it would be impossible to remember unique passwords between those sites. Ironically I end up in a much weaker password ecosystem because I re-use the nearly-same password over and over again so I'm not constantly requesting a reset.

[-] tfm@europe.pub 23 points 1 month ago

Why not use a password manager?

[-] 4am@lemm.ee 7 points 1 month ago

BitWarden now supports passkeys and has a free 2FA app.

No excuses not to be as secure as possible anymore.

[-] ArtificialHoldings@lemmy.world -2 points 1 month ago

I'm split between a work pc, mobile, and home pc... It could work for 90% of cases. I never trusted a password manager though.

[-] psud@aussie.zone 8 points 1 month ago

KeePass doesn't rely on any third party, and if you choose to use a third party file storage to hold your password vault, it's encrypted

[-] huquad@lemmy.ml 5 points 1 month ago

Always two there are. No more, no less. The one they know, and the one they don't.

this post was submitted on 18 Mar 2025
96 points (99.0% liked)

Privacy

37311 readers
750 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz