"Password is dead" meme is spreading
Enable two-step verification and now they have your phone number in their shitty insecure database.
Or just use bcrypt, blacklist the top 50,000 most common passwords, and STOP LEAKING THE UNENCRYPTED DATABASE!
More than 65 million sets of login credentials for users of Yahoo-owned Tumblr have appeared up for sale through the darknet. The illicit sale stems from a leak that dates back to February 2013, one which was only disclosed by Tumblr earlier this month. "Peace", the same black hat behind the sale of 117 million leaked …
Then what do you do with people with bad memories?
IMHO a strong password that is written down (and hidden in your wallet/billfold) is better than a weak password that the user can remember. Or else use a password vault I guess?
The number of in-person hacking attempts is almost zero these days when compared to the number of online automated ones. Unless your login has some special privileges then any ne'er-do-wells just need *an* account but not necessarily *your* account.
You don't have to write it down exactly as used.
For example you could append some common and easy-to-remember simple password to each "unique" one on the post-it note. Most opportunists criminals are unlikely to do the hard work of trying combinations for one account, more so if the dumb fuckwits that run some of these sites have proper rate-limiting on login attempts...
This.
I have to change passwords every 3 months at work, plus have multiple different passwords for different systems at work. It's a clusterf%&k to say the least. As such, I have a list in my notebook which says, for example Server 1 - "normal_1". This tells me to use my "normal" password with _1 attached on Server 1. The word "normal" is not in my password but I now know exactly what I need to type for that particular login.
Unless I'm stupid enough to tell someone what "normal" represents, its a secure system even if someone steals my work book.
~ I smell the biometrics / humans-need-chip-implants-at-birth argument coming next...
~ Either way, anyone else feel that the real problem lies with the tech giants themselves? Who needs em? Most of these social-networking unicorny sites have grown exponentially in the rush to monetize everything for the benefit of VC's...
~ I've pulled back from the internet. Its a steaming cesspool of leaky slurpy malware! Am I any worse off? No, because so much of it is endless hyped virtual horseshit!
It doesn't matter how strong your password is, if it isn't protected by the application holding it.
Yet again, a corporation who should know better didn't follow best practices. Which is really ridiculous. We learned waaaay back when LANMAN hashes were being picked apart (pre 2006) that it didn't matter how strong your password was, it was going to get taken apart in hours if someone could get the hash.
Everyone also found out in 2011, you once again needed to update your encryption and ciphers for data at rest and in transit. Then again with OpenSSL, etc. etc.
I imagine something else will come along in the near future. Something everyone who stores credentials needs to be prepared for and stay on top of.