The Lemon Fool

chas49 wrote:at least it made me change my password which is good practice

Not any more, companies are starting to wake up and realise that forcing people to change password every 30 days actually made them choose really weak passwords with a number on the end.

It has taken a loooooong time for that bit of common sense to prevail.

Lanark wrote:

chas49 wrote:at least it made me change my password which is good practice

Not any more, companies are starting to wake up and realise that forcing people to change password every 30 days actually made them choose really weak passwords with a number on the end.

It has taken a loooooong time for that bit of common sense to prevail.

In addition, it makes people sloppy about hiding where they are writing down the current password.* If you break into my house you'll have to pick the right one of the many Post-It notes stuck to my screen to read my card sales figures!

Business Track (my card merchant bank account interface) forces me to choose a new password every three months and it is beyond tedious and forces (relative) insecurity, but also firmly lodges liability with me.

* Despite official advice not to write down passwords I'd imagine we all do it. I have well over 100 on my list, all different. It's the way most of us choose as this human memory simply isn't strong enough, and I don't trust on line "password managers".

Mike4 wrote:* Despite official advice not to write down passwords I'd imagine we all do it. I have well over 100 on my list, all different. It's the way most of us choose as this human memory simply isn't strong enough, and I don't trust on line "password managers".

My bold above, re. 'on line', neither do I.

I prefer to use a local password manager that stores the database encrypted on my local machines. I use cross-platform applications so that I can access the database from my local machines and phones. KeepassXC is my preferred password manager at the moment.

If you have decent 2FA enabled on your accounts then passwords are less critical.

By way of example if I look at the online security section on my Microsoft account I can see something like thirty attempts a day to log into it from all over the world (probably via VPN proxies...). Even if they have brute forced the password they still can't get in as it will require 2FA from me locally.

I've had 2FA enabled on FB for a few years now - I'm using an authenticator app on my phones currently but will probably switch to hardware keys soon.
I get occasional alerts from FB (yes genuine...) that someone has requested a password reset, so clearly there is plenty of activity there also with attempted account hacks. C'est la vie...