Collaborate Disseminate
From my experience, 99%[citation needed] of the time, when you try to log on to a website, and you mistype your password, you get some indication that the login could not proceed due to incorrect information and the password … Continue reading Clearing password field after an invalid login attempt
The latest advice (e.g. from NIST) recommends that user’s password are checked against known breaches and compromised passwords are forbidden.
What are some relatively straightforward steps that a regular web dev who is not … Continue reading How to check if a user’s password has appeared in a breach?
In the course of my computer working I daily use dozens of username/passphrase pairs. Within the limits of my understanding and restrictions I apply the best practices for security. Unfortunately I have limitations on my abil… Continue reading How often, if at all, should I rotate my passwords?
A few months ago, kutschkem answered a question about HIBP with this:
Let’s say every person on earth has used ~1000 passwords so far. That makes approximately 10 trillion passwords, which is ~243 if I am not mistaken. Choosing any exi… Continue reading Is it a mistake to use a password that has previously been used (by anyone ever)?
At my current company, the IT Risk team decided to ensure root passwords of about 90 systems by the following conventional method:
The length of each password must be 16 characters, where they input 8 characters while the I… Continue reading Password seal by paper or by password manager?
Enable automated password policy enforcement with daily password auditing and customizable remediation. With compromised password detection, custom password dictionary, fuzzy matching with common character substitutions, and continuous ongoing monitori… Continue reading Automate Password Policy & NIST Password Guidelines
Say I have a phone whose security is corporately managed, and this management demands that I use a 6 digit passcode to lock the phone. So far, so reasonable. This gives an attacker a possibility of 1,000,000 passcodes to try … Continue reading Can having certain restrictions/rules make passcodes less secure?
I’m currently using Linux Red Hat OS, and I need to configure it accordingly to /etc/pam.d/password-auth and /etc/pam.d/system-auth under CIS Red Hat Enterprise Linux 8 Benchmark v1.0.0-1.
What page do I start in that docume… Continue reading Learning how to audit a linux system, what does it mean to configure password & system auth?
An employee is using some easy guessable reused passwords well known to Have I Been Pwned.
OUCH.
Something bad happens.
Can an employee be sued?
Option A: An organization does not have password policy.
Option B: An organ… Continue reading Can an employee be sued for gross negligence by reusing personal passwords at work? [migrated]
I’ve noticed that on many sites, when they ask for a one-time password (OTP) (usually sent by SMS), the input is hidden in the same way as a password field is.
My understanding is that once an OTP is used, then it is no long… Continue reading Why do many websites hide input when entering an OTP?