You must log in or # to comment.
When I was in college ~2011, I had a neat little software installed that allowed me to sniff wifi networks. Turns out, the school did not locally encrypt your password before it was sent to the server. Meaning, Students could have had super complicated passwords. And it wouldn’t matter. Because I got to see it in plain-text. The school allowed you to link a secondary email since they correctly assumed people might not check the school email as much as their personal. Which basically everyone did. And lots of people also use the same password to everything. You can see where I’m going with this…
Facebook did hash and salt their passwords, but I managed to crack a few using a dictionary attack on a pretty shitty laptop. Though if I remember correctly, if you were automatically logged in due to session cache or via cookies, I could not find your password because that handshake had nothing to do with your password. Maybe I could have used the data some other way, but I didn’t know how.
My password is
hunter2’); DROP TABLE Passwords;–I remember in primary school, my school district wrote the passwords on index cards and passed them out to kids whenever we need it for online assignments / quiz / (US) State Standarized Exams, and I was just like… um… isn’t that very insecure? (Also I already memorized the password)
Some classmate peeked at my card and I was like: “bruh”…
I told the teacher about it and she just said don’t worry.
And you can’t even change the password, not until middle school at least. Bruh, I always was afraid some dipshit is gonna log in as me and troll me
Who the fuck runs the IT? I could probably do a better job.
And you can’t even change the password
“Sorry, it’s written in pen, nothing we can do.”
Practical obscurity is behind a LOT of today’s security sadly.
I have access to the exam system our law school uses as I co-administer it, there’s definitely a way to send people a raw text version of their password in emails. My boss also asks professors to write down their passwords on sticky notes so he can work on their PCs, this week I heard him give his SSO-connected admin account password to a faculty member over the phone, with the strict instructions she not use it for anything else. Smh. He’s a domain admin. Mmmkay.
even when I was in like 1st grade they told us to write it in a notebook or something
Just use a password manager. I have never “forgot” a password in over a decade. But the best part is honestly only having to remember a single password for the rest of my life. Bliss
I royally fucked up when I first started using a password manager:
I created a password entry, copied the password from it, clicked on “change password” in the account I wanted to update, and pasted in.
Repeat for all my accounts, without testing in between.
I forgot that Linux has two separate clipboards for CTRL+C/V and middle click paste.
I used the wrong one for pasting and changed all my passwords to whatever was in the other clipboard at that moment.
Then I shut the computer down.
And then I realized what I’d just done.I mean the bigger problem in this meme is that they’re able and are emailing the plaintext password.
But in essence I do agree, use a password manager
Passwords are a piece of piss. But thats cos I grew up having to not only remember between 10 and 13 digit phone numbers, but also assign them to different people. I use that part of my brain now as a password manager… lol.
Your passwords definitely arent secure enough then. Unless you have a fucking eidetic memory. Its not just remembering passwords, its remembering which passwords go with what. I straight up dont believe you if you tell me you have 30 different completely random alphanumeric 15 character strings locked into your brain and can reliably remember which one goes with which. And if your passwords are less than that, or if you use the same password but with slight differences, or if you have some sort of ‘system’ youre just asking to be hacked. Just use a damn password manager.
30 different completely random alphanumeric 15 character strings
I mean, that’s great and all, but I’m pretty sure my 65 character sentence with a foreign punctuation is even better than that. I probably have somewhere around 30 of those memorized. Probably more if you include the throwaway accounts and not just my real ones.
Good job.
One may test strings in https://www.passwordmonster.com/
Wow your brain is miraculous, im totally blown away by the amazing feat that you achieved that could have easily been done with zero effort by a password manager. Youre like those guys that memorize pi to the 5555th digit. Like congratulations, thats fucking useless.
i mean i’ve got a cipher that makes passwords look random.
Its absolutely fine if you dont believe me, chief. But I spent the first 20 years of my life doing that very thing. 10 to 13 digits assigned to different people and locations. All wildly different from each other. Im not the only one. Most people my age and older developed this skill. And they still use it. In fact, most of us, can still remember the phone numbers from the 80s and 90s as well. We are rain man when it comes to this shit lol.
Dont be jelly…
Yeah i grew up with telephones too, its not the same thing. Memorizing a string of numbers is vastly different from remembering a truly random string, and if your passwords are just numbers then youre gonna get hacked at some point. Good luck though. Also every boomer that ever lived probably knew more phone numbers than you at one point but they all still have 12345 or some equivalent written on a sticky note somewhere so im not sure why you think that thats equivalent.
Like I said, dont be Jelly. I can do something you cant. Im sure theres lots of things you can do that I cant.
Oh buddy im not, i just think you’re deluding yourself lol.
Oh buddy, you are. I mean, why would I lie about that??? If I was going to lie about something, Id say I have a really small cock… lol
After this conversation is done, we wont ever speak again. So… what would be the point of this? What possible gain is there to lie about this to someone I wont speak to again? The answer is none. But there plenty of reasons for you to want, or need this to be a lie. And thats kinda sad…
i would consider it if the password manager could email me my passwords
One password at a time, right?
Right?!
Assuming your master password has only ever been used to access your password manager, there’s no reason to ever change it.
Ah penny arcade back when it was kinda good and the characters didn’t look like neanderthal cronenberg abominations. Those were the days.
Maybe it’s a jeopardy style answer.
The password is “delicious”.
But if the password is delicious and
what is deliciousthat would mean that the password is “what”
Check your email, we sent you your password : hunter2 there.
Weird, all I see is *******
deleted by creator
Here is the cryptographic hash of your password. Good luck.
I haven’t encountered this in a long time, but it was kinda the norm at one point.
Using a password management scheme of some kind does not optional. You cannot trust them with what’s effectively a master password.
A password manager does not solve this problem.
Oh it absolutely helps. Because if you’re using a password manager then every account you have should have a different password.
Most people who don’t use them just use the same password or a variation thereof for everything, making a leak much more devastating.
I hate passkeys, but I understand that without a password manager, they’re probably the best option. And for some god forsaken reason, like you said, most people just don’t use a password manager. I can’t even get my wife to use one, and I’ve shown her how easy it is.
My password manager also holds my passkeys, so I really don’t mind them.
You using a password manager does not solve that this org stores your password in plain text and will email it to whatever’s on file when ANYONE clicks the forgot password button.
That’s why I always use password hashes as my passwords. So when some hacker steals the database, with all the clear text passwords, and look at my account they think somehow this password is still hashed and don’t try using it directly. My current lemmy-password is $argon2d$v=19$m=16,t=2,p=1$Mk9RTWNESzMyWVljUGo5RA$BiGKlhzFuiWA0N78KzEmCQ
No, but it does severely limit the damage is what I’m saying.
Using a password manager is not optional. Schemes are to easy to figure out and/or brute force.
To wrap it all together, password managers do have inherent flaws, but it’s better than all alternatives for passwords so far. The real argument is that passwords in general are a shitty authentication scheme.
Figure out mine then, right now.
(I do indeed use a password manager especially for online services, but for some things [like the PM itself] you can’t rely on it and need to remember a few, and a scheme helps for that. I also bet $10 you can’t guess one of my schemed passwords. To be fair, the way I do it it’d still be really hard to figure out the others even if you knew the system, which I will not reveal. I’d be impressed if you even guessed the system.)
I could upgrade it though, still. New system: book cypher.
Transcription
Tweet by Rhys @RhysSullivan
Clicked “forgot password” and they emailed me my password
Attached is a photo of a man staring directly at the camera with a mildly surprised and disappointed look on his face. Eyes wide, mouth slightly open and downturned.
