this post was submitted on 27 Jul 2025
1046 points (98.9% liked)

Greentext

6852 readers
343 users here now

This is a place to share greentexts and witness the confounding life of Anon. If you're new to the Greentext community, think of it as a sort of zoo with Anon as the main attraction.

Be warned:

If you find yourself getting angry (or god forbid, agreeing) with something Anon has said, you might be doing it wrong.

founded 2 years ago
MODERATORS
Early_To_Risa@sh.itjust.works
1046
Anon witnesses excellent security (sh.itjust.works)
submitted 3 days ago by Object@sh.itjust.works to c/greentext@sh.itjust.works
113 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] psycho_driver@lemmy.world 30 points 3 days ago (3 children)

Don't forget your new 32 character/symbol/number/nordic rune passwords that will need to be changed every 17 days.

[–] AllHailTheSheep@sh.itjust.works 17 points 3 days ago (2 children)

I hate sites that make me constantly change passwords. it's been shown time and time again that making users change passwords often decreases security by a pretty large factor, and yet a lot of sites still do it

[–] MrsDoyle@sh.itjust.works 11 points 3 days ago

Our workplace did that. You had to change every month and you weren't allowed to just add a digit. It meant that people started writing their passwords on post-its stuck to the monitor.

Mind you, back in the 90s your password was the same as your username. It was very handy, because if someone went home leaving a document locked, you could just log in and unlock it. Our first "proper" IT professional was horrified.

[–] brbposting@sh.itjust.works 7 points 3 days ago (1 children)

Interesting, stopped seeing this a while back. Forced change after the inevitable hack though of course

[–] Object@sh.itjust.works 7 points 3 days ago

Could be because OWASP now actively recommends against periodic password changes.

Ensure credential rotation when a password leak occurs, at the time of compromise identification or when authenticator technology changes. Avoid requiring periodic password changes; instead, encourage users to pick strong passwords and enable Multifactor Authentication Cheat Sheet (MFA). According to NIST guidelines, verifiers should not mandate arbitrary password changes (e.g., periodically).

[–] fibojoly@sh.itjust.works 4 points 2 days ago

Oh you gonna love those new directives for SSL certificates we got cooking!

[–] wolframhydroxide@sh.itjust.works 5 points 3 days ago (2 children)

And don't forget required 2-factor authentication, in an age where that becomes 1-factor authentication as soon as someone has your phone, because both factors are accessible there!

2FA is utterly worthless in the age of smartphones, and whenever my employer tries to implement it, I refuse and tell them that, if they want me to do 2FA, they can either provide me with a work phone, or they can give me a USB key that is just going to sit in my desk drawer.

[–] a_wild_mimic_appears@lemmy.dbzer0.com 6 points 3 days ago* (last edited 3 days ago)

which still requires someone to swipe the phone and the owner not recognizing it long enough to do a remote wipe. I am not someone who hangs on the smartphone 8 hours per day, and even i would realize my phone is gone within 15 - 30 minutes, giving an attacker a pretty small time window to act.

e: and they have to break into the phone as well - if it's updated, that might buy more than enough time

[–] Gutek8134@lemmy.world 1 points 2 days ago (1 children)

There are other ways to 2FA, such as having a physical key on yourself /srs

[–] wolframhydroxide@sh.itjust.works 1 points 2 days ago

Hence why I tell my employers that I'm good with h That option (see the last bit of the comment to which you replied) the problem is that this method of 2FA is not implemented commonly, and so most systems I've encountered bug out when trying to set it up.