Collaborate Disseminate
A while ago I wanted to deploy a service using a OCI (docker/podman) container, and I noticed to me, what seemed like a possibly distributing trend. In the build file for a lot of the containers, the password is put there in plain text in … Continue reading Passwords/password hashes in plaintext in service configs – why is this common practice?
Is there any professional consensus on what the optimal password minimum length requirement should be?
The University of Michigan recently implemented a 15 character minimum for all users.
To me (complete layperson), this seems foolish bec… Continue reading Optimal password minimum length requirement? (In particular, does a 15 character minimum make sense for most university users?)
Is it safe not to have a 2FA for a password manager itself?
It seems that using an app for TOTP authentication for a password manager could increase the security. But it turns out that in this case I should remember by heart the password f… Continue reading Security of password managers vs. risk of losing access
A security value called Restriction of Repeated Characters for Passwords (QPWDLMTREP) can be configured in IBM i. If QPWDLMTREP has a value of 1, then "the same character cannot be used more than once in a password, even if the repeat… Continue reading Does a password policy with a restriction of repeated characters increase security?
How do environments like Active Directory determine if you reuse parts of previous passwords in a new password? I understand that it keeps a list of your last passwords, hashed. But how do they determine if I reuse parts of a last password… Continue reading How is "partial" password reuse determined? [closed]
Besides “your password must contain this” complexity requirements, some places also have “your password must not contain this” rules, sometimes with fairly short substrings of the username, a day of the week,… being enough for a password t… Continue reading Password restrictions limit Diceware word list – (when) can this get bad enough one should choose another strategy?
A bank I (previously) used in Australia forced users to comply with a 6-character limit on every password. Specifically, the rules were:
6 characters exactly, including at least 1 number and letter
No more than 2 repeating characters
No b… Continue reading My Bank Enforces A 6 Character Limit On Passwords. Is This Bad?
The bank of a friend changed password policy, such that you are limited to 20 characters. However, he used 24 letters before and thus was not able to log in anymore.
He called his advisor, who suggested, he should try to log in with the fi… Continue reading Should a bank be able to shorten your password without your involvement?
There has been many discussions about this topic on this website. But mostly outdated. I wanted to draw your attention back to this. Although nothing has changed, but I can’t come up with any reasons to not use TOTP as a replacement for pa… Continue reading Use TOTP as a single factor authentication [closed]
I am testing a web app in which there is a section where it is possible to view all the users who can access it with their passwords in clear text. Is it normal this thing?
Continue reading unencrypted user credentials accessible from the web app