4
Why even let users set their own passwords? (www.devever.net)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
7 comments fedilink hide all child comments

TLDR:

Here is generated summary of the article:

  • The author argues that passwords are not a secure way to authenticate users, and that websites should instead issue randomly generated passwords to users.
  • The author points out that websites already do this for API keys, which are used to secure high-stakes applications.
  • The author argues that this model of password issuance would be more secure than the current system, and would also simplify the login process for users.
  • The author also discusses the limitations of TOTP-based two-factor authentication, and argues that it is not as secure as it is often made out to be.

Here are some of the key points from the article:

  • Passwords are often weak and easy to guess.
  • Users are often not good at choosing secure passwords.
  • Websites often do not implement password best practices.
  • TOTP-based two-factor authentication is not as secure as it is often made out to be.
  • A more secure system would be to issue randomly generated passwords to users.
top 6 comments
sorted by: hot top controversial new old
[-] [email protected] 6 points 1 year ago

You have to balance security with usability. Most users aren't gonna understand the flow of getting a randomly generated password, and they're just gonna write it down if they do. This is a delicate balance that all cybersec people know.

[-] [email protected] 3 points 1 year ago

I’m aware of the balancing act. I just thought it was an interesting opinion piece that I myself don’t quite share. My words [will always be bracketed] to tell the difference. Thanks for offering a counter argument to this article!

[-] [email protected] -1 points 1 year ago

I mean I was just offering my response. But I'll be sure to remember this one random guy will put his words in [brackets]

[-] [email protected] 3 points 1 year ago* (last edited 1 year ago)

I was responding based on the community you’re in. I’m now assuming you are seeing this from either local feed, or subscribed. If that’s the case, then I understand the confusion.

I wasn’t intending to give off hostility in my words. If that’s what you interpreted, my bad for phrasing it poorly.

[-] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Passwords are a very simple system that has been used since antiquity, its distribution in the Roman military having been described by Polybius.

Passwords found use in early computing. The Compatible Time-Sharing System (CTSS) developed at MIT in 1961 implemented a PASSWORD command, which only hid the characters to be typed.

The notion of hashing passwords was created in the early 1970s by Robert Morris. He also invented the crypt(3) algorithm, which used a 12-bit salt and invoked a modified form of the Data Encryption Standard (DES) algorithm 25 times to reduce risk of pre-computed dictionary attacks.

The ease of implementation is why password-based authentication is used everywhere. But I might argue this is too simple and can be exploited by attackers. Year after year, a new hashing algorithm becomes considered not secure enough.

load more comments
view more: next ›
this post was submitted on 23 Jul 2023
4 points (100.0% liked)

The Andromedus Galacticus Collection

600 readers
1 users here now

This is a personal collection of things I find around the internet.

Alright, so somehow you found this place. Here's what to expect:

Due to the nature of this place, you may find a bunch of stuff that you don't care about, but you may also find a new passion.

So, the gist is, this is a place where I'll share random things, and you'll discover the internet with me.

Oh yeah, I didn't advertise this place anywhere, so hey, how did you even get here?

Check out the sister sub where you discover music with me! [email protected]

founded 1 year ago
MODERATORS
[email protected]