Don't choose long passwords
- Trigger alert*: addition, I guess?
Don't use long passwords.
They're really easy to get wrong when you're drunk, and if you have your `pass` alias written out to erase your pass file if you type it incorrectly more than twice, you know, just in case, this can get pretty ugly pretty soon.
Bartender, I'll have some water, please? Cold, if possible.
Oh and do you have, erm, sandwiches, of any kind? I kind of have the post-beer munchies...
Note: the trigger alert is there in case anyone's struggling with addiction. I know -- from second-hand experience, fortunately -- that this is tough. Please don't worry about me, I've never struggled with it and I'm actually completely fine, I just went out for drinks with an old friend, and it seemed a little funny that it took a few attempts to type my master password.
I got it right, too!
I use Bitwarden to store passwords of about 32 random characters (unless there is a restriction for fewer characters).
My main problem has been writing those long pwds on devices like TV sets, or guest mode PCs, where I can't easily copy them.
Some shortcuts have appeared like scanning a QR code or inputting a single-use code. But it seems will never become a standard.
For those cases I use a sequence of 5-8 words to have 'more entropy' in a simple way to input it. But... ¯\_(ツ)_/¯
Yeah, I use diceware passphrases for any passwords that I have to remember and type often (as opposed to passwords that live in KeepassX or Firefox), and at work, they lock your account after three failed logins... to *any* service using their single-signon. But the help desk will unlock it over the phone without any evidence that the caller is the owner of the account.
Personally, I like the idea of applying exponential backoff to password attempts.
always bothered me when systems lock people out or wipe after a few wrong passwords. it usually ends up stopping people who actually have the account more than attackers. both attackers and people who don't have eidetic memory use the same technique anyway: "alright, so i know i have a couple of common passwords, so let's go through variations of them because i don't remember what i used here". if it's like, a bank account or the nuclear launch codes, i understand. but being locked out of a streaming account because i forgot which password the person who signed up for it used? very annoying
Even worse, it enables a new kind of malicious behavior: intentionally locking someone out of their own account/device.
A friendlier approach I've seen is to increase an enforced delay between password attempts, which disrupts an attacker's ability to brute force their way in without locking the account-holder out.