Ryan Castellucci (they/them) Jun 25, 2024

Ryan's guide to determining whether your password is secure:

1) Did you pick it yourself? If yes, it is not secure.

2) Is it unique? If no, it is not secure.

3) Is it part of a "password system"? If yes, it is not secure.

4) Is created using a deterministic password generator? If yes, it's part of a "password system" and therefore not secure.

5) Did your password manager randomly generate it for you? If yes, it's probably fine.

6) Did you generate it with dice? If yes, it's probably fine.

7) Did you create your password in some other way? It's probably fucked.

Show threadInsecurity Princess 🌈💖🔥Jun 25, 2024

@ryanc Does that apply equally to all passwords for all systems?

Do all passwords need to be "secure"?

Show threadRyan Castellucci (they/them) Jun 25, 2024

@saraislet Great point. This post was somewhat prompted by someone describing passwords as "kayfabe".

Many passwords are vestigial, existing within systems that assume (rightly) that they are not secure. They're there because they're expected, the actual security lies elsewhere.

The nuance seems difficult to explain to people, though.

Show threadRyan Castellucci (they/them) 
@saraislet My general opinion is that systems need to be designed to account for the fact that they're used by humans. We have very predictable failure modes that must be accounted for - trying to get us to change our behaviour to be "more secure" is like nailing jelly to a tree.
Jun 25, 2024 at 4:43pmWeb