169
votes
How do I check that users don't write down their passwords?
As others said, you can't stop them. But you can remove the incentive.
Does your password policy require any of the following?
Changing at regular intervals
Manual entering (password managers blocked)...
- 871
145
votes
Is displaying remaining password retry count a security risk?
Locking accounts is a bad idea in the first place. It might seem like you're making your organization more secure by keeping out "bad people" who are "guessing" at passwords using brute force attacks,...
- 2,980
140
votes
Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks?
Your question contains several false assumption:
If you're a security conscious user, you'd change your passwords regularly on any website that matters
According to my password manager I have more ...
- 2,953
135
votes
How do I check that users don't write down their passwords?
There is no way that you can be sure that a user hasn't written down their password. Even if you have complete access to their computer, what if they noted it down in their phone? Or on paper?
And ...
- 2,155
126
votes
Why is Sojdlg123aljg a common password?
One of the most logical explanations is that those accounts were associated with a bot. Same goes for password like 18atcskd2w.
Graham Cluley wrote an article about this: So, Just Why Is 18atcskd2w ...
- 10.3k
121
votes
Accepted
IT will only give password over phone - but is that really more secure than email?
Emails are saved somewhere, whether it be on a mail server or someone's personal computer. Phone calls usually are not, unless it's a customer facing environment.
- 1,160
107
votes
Why is Sojdlg123aljg a common password?
Another possibility : Sojdlg123aljg is latin characters translation from another alphabet.
For instance, a common password "ji32k7au4a83" is from mandarin "我的密碼", meaning "my password" (source).
...
- 811
104
votes
Accepted
Password entry: are "paste from password manager" and "eyeball to view passwords" mutually-exclusive features?
Password managers are not meant to hide your passwords from yourself
It's as simple as that. To whit: most password managers let you view your own password anytime you want anyway. I say "most&...
- 31.9k
100
votes
Accepted
What are the security risks of logging the hash of rejected passwords?
If properly hashed (i.e. with random salt and strong hash) a hashed password is not reversible and hashed passwords for different accounts differ even if the passwords are the same.
This means that ...
- 213k
89
votes
Is it OK that a sysadmin knows the password for a newcomer / act as a user (immediately after his/her recruiting)?
If I should never tell an admin my password (as it has been answered
to the cited question) there is no reason that an admin knows my
password even at the very beginning of my work in that company
...
- 2,752
88
votes
Accepted
Confused about using a password that "would take centuries to break"
The online calculators are basing their results on a particular set of assumptions, ones that might not apply in any one case. There is no basis for trusting the calculators to provide any insight ...
- 134k
68
votes
Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks?
Changing passwords often is not considered a best practice anymore.
People are interested in HIBP because it centralizes information regarding breaches and makes it easily accessible. Not everyone is ...
- 943
58
votes
IT will only give password over phone - but is that really more secure than email?
This policy is common where usernames and passwords are sent via separate channels.
It doesn't matter which channels just as long as it the authentication pairs are split apart and sent via different ...
- 691
56
votes
IT will only give password over phone - but is that really more secure than email?
Emails may (though as @Luc points out, not always) be sent in plaintext across the internet. That means they may be logged by your email provider, your ISP, your recipient's ISP, your recipient's ...
- 59.6k
56
votes
Should a bank be able to shorten your password without your involvement?
Most likely the bank always used just 20 characters.
As Affe already suggested in the comments, the simplest explanation is that nothing has actually changed in the way the bank stores the passwords. ...
- 851
54
votes
Are there joint password accounts? (Like bank accounts)
It's generally undesirable to have multiple people knowing the same password.
Instead, systems that requires multiple user to be able to access the same resources usually requires each user to create ...
- 31.8k
52
votes
What considerations do I need to keep in mind when enforcing passphrases?
It is not necessarily a bad idea. The attacker can know the password is in that format, considering the 4 words are random enough. But here is the thing, there are other good ways to make a memorable ...
- 7,878
52
votes
Accepted
Does a password policy with a restriction of repeated characters increase security?
In general, no, such a policy is counterproductive to security. While many weak passwords use repeated characters, so do many strong passwords... and many weak passwords don't.
Some reasons not to use ...
- 53.9k
48
votes
Which password policy is more secure: one password of length 9 vs. two passwords each of length 8?
As John Deters has noted, 2x8 is almost certainly worse - but the reasons why take a little explaining.
There were a couple of problems with LANMAN hashes (the classic case of breaking a password in ...
- 9,842
45
votes
Accepted
Is it secure to block passwords that are too similar to other employees' old passwords?
A similarity check requires the password to be stored in a recoverable form, either as plaintext or encrypted with a key accessible to the server. Alternatively, the system could store variations of ...
- 38.2k
43
votes
Does password expiry provide any benefit at all (when using randomly generated passwords)?
90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days ...
- 10.7k
42
votes
Confused about using a password that "would take centuries to break"
Just out of curiosity, I checked this on a very well known website(on its login page) and it stated that this would take centuries to break.
Such websites cannot be taken as gospel. Many are ...
- 10.9k
41
votes
Accepted
How to strike a balance between security policies and practical implementation challenges?
Since this question is not a technical one, rather more about human behaviour, you won't get the answer. What you describe is very typical though and I made the same experience.
Complex password ...
- 5,329
37
votes
Specific character based policy for passwords
The fundamental issue is that entropy can only be estimated from the password itself, and that estimate can be very very wrong. The entropy is determined by the password generation method. You can't ...
- 31.9k
33
votes
Accepted
Is it a mistake to use a password that has previously been used (by anyone ever)?
The math may be right. One could refine and complicate it as much as desired, but it doesn't really add to the point. So I'll leave it be.
Also, in practice it is easier—and might be faster&...
- 512
32
votes
IT will only give password over phone - but is that really more secure than email?
Even if both the email and phone conversation are recorded, it is orders of magnitude easier to search an email database for "password" than it is to search voice recordings.
However, best practices ...
- 1,511
32
votes
Is displaying remaining password retry count a security risk?
It depends on your lockout mechanism. If invalid logins get reset after some time AND a locked account does not get unlocked, showing a counter can help an attacker not to lock out an account. But a ...
- 1,830
31
votes
Accepted
Specific character based policy for passwords
The tests for any policy are:
people know about it
people understand it
people know if they are complying with it
people know how to comply with it
Your approach is about 2 out of 4 on that scale for ...
- 134k
Only top scored, non community-wiki answers of a minimum length are eligible