Hacker News new | past | comments | ask | show | jobs | submit login
World Password Day. Join the Fight Against Cybercrime, One Password at a Time (elnion.com)
8 points by dez_blanchfield 9 months ago | hide | past | favorite | 7 comments



Ever since I was phished, I’ve updated my password practices to have every single account I have to use a unique password. That way, if any of them are involved in a data leak, the rest of my accounts are still secure.


I think one factor that's often overlooked with this advice is that many devices are designed in such a way that entering a secure password is a tedious and error prone process, and hence we should rethink whether passwords are the best way to secure said devices.

For example, while your computer or phone may have a password manager, I'm pretty sure your car, TV, games console, etc doesn't, and so having to enter a lengthy and difficult to crack password one letter at a time via a stupidly clunky interface is a usability and security nightmare in of itself.

And even with a phone, entering a lengthy or complex password via a touch screen keyboard is quite the ordeal. So I wouldn't be surprised if many people don't bother with good passwords simply because it's easier to enter a single word with a few numbers tacked on the end via a touch screen or remote control.


I think we need to simplify for broad audiences (I realized this post is aimed at technical people). The beginning and end of the list should be "use a password manager". Other things are also great, but this first step is huge and I wouldn't even try mentioning the later steps to most people.


There should have been a standard to let browsers handle this automatically, with secure keys long ago.


I would love to see some sort of PAKE integrated into browsers and regular form input fields. Browsers would very strongly encourage randomly generating passwords on signup and not allow the site access to them. Users would also be discouraged from exporting the generated password from the browser (but if needed to to log into a different computer or back them up could see the password). Seems to give 99% of something like WebAuthn but way more understandable to the average user.


The article asks users to make sure passwords include upper and lowercase and special chars.

This is just wrong. Diceware passwords are better for passwords that need to be memorized.


They're better for a lot of people, but certainly not all. I find the "Correct Horse Battery Staple" approach to be a much more difficult approach to remember and use than just a randomly generated string.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: