IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [password-management]

The functions performed by the person or processes responsible for security of passwords on a given system.

Password Management includes the definition of strength rules, expiration, reset, reuse, creation and storage of passwords, as well as the manual and automated processes by which passwords are managed in an organisation.

This may include automated tools for forgotten password reset procedures, password strength assessments.

1271 questions
618
votes
23 answers

How does changing your password every 90 days increase security?

Where I work I'm forced to change my password every 90 days. This security measure has been in place in many organizations for as long as I can remember. Is there a specific security vulnerability or attack that this is designed to counter, or are…
Bill the Lizard
  • 6,731
  • 4
  • 19
  • 28
295
votes
7 answers

What's the rationale behind Ctrl-Alt-Del for login

Why is Ctrl+Alt+Del required at login on certain Windows systems (I have not seen it elsewhere, but contradict me if I'm wrong) before the password can be typed in? From a usability point of view, it's a bad idea as it's adding an extra step in…
Count Zero
  • 2,879
  • 3
  • 16
  • 14
232
votes
10 answers

Is there any reason to disable paste password on login?

Today I logged in to pay my cellphone bill, and I found that the site has disabled paste functionality in password field. I'm a webdev and I know how to fix this, but for regular user is REALLY annoying having to type a random password like…
IAmJulianAcosta
  • 2,445
  • 2
  • 14
  • 18
202
votes
10 answers

How safe are password managers like LastPass?

I use LastPass to store and use my passwords, so I do not have duplicate passwords even if I have to register four to five different accounts a day, and the passwords are long. How safe are password manager services like LastPass? Don't they create…
blended
  • 2,841
  • 3
  • 15
  • 16
166
votes
5 answers

Password management for kids - what's a good way to start?

Consider a young (primary-school age) child who is starting to collect passwords for online services. How can a parent (or equivalent) help them manage their passwords? An example to make things clearer: My daughter might want to log on to…
Chris H
  • 4,185
  • 1
  • 16
  • 22
126
votes
10 answers

Does an ISO27001 audit require users to reveal their passwords?

My company's system administrator is asking for our passwords for an ISO audit and my VP IT operations support says it's mandatory for ISMS (ISO27001). Can someone confirm if this is true?
v_sukt
  • 1,322
  • 2
  • 7
  • 12
119
votes
2 answers

How difficult to crack keepass master password?

How easily could someone crack my keepass .kdbx file if that person steals the file but never obtains the Master Password? Is this a serious threat, or would a brute force attack require massive computing time? Assume a password more than 10…
steampowered
  • 1,817
  • 3
  • 15
  • 14
111
votes
9 answers

Is it safe to send clear usernames/passwords on a https connection to authenticate users?

I'm setting up a home HTTP server which can send and receive JSON data to/from different clients (Android and iPhone apps). I'd like to allow access only to certain users and I'm considering using a simple username/password mechanism, as setting up…
Emiliano
  • 1,213
  • 2
  • 9
  • 6
109
votes
7 answers

Is saving passwords in Chrome as safe as using LastPass if you leave it signed in?

Justin Schuh defended Google's reasoning in the wake of this post detailing the "discovery" (sic) that passwords saved in the Chrome password manager can be viewed in plaintext. Let me just directly quote him: I'm the Chrome browser security tech…
brentonstrine
  • 1,259
  • 2
  • 10
  • 13
107
votes
15 answers

Why did customer services say using symbols in a password is insecure?

I am using an online service that I recently had to reset my password because I forgot it. When I went to change password I wanted to use one with a symbol !@£$%^&*(). When I clicked "confirm password" it displayed "_Invaid Data" to me which I…
iProgram
  • 1,187
  • 3
  • 9
  • 15
106
votes
7 answers

School performs periodic password audits. Is my password compromised?

My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless…
GB1553
  • 833
  • 2
  • 5
  • 8
101
votes
3 answers

Why is Sojdlg123aljg a common password?

I was going through the list of top 100K passwords and found Sojdlg123aljg near the top of the list. Does anyone have any idea why this is such a common password?
azoundria
  • 743
  • 2
  • 5
  • 7
101
votes
5 answers

How to address bad password security policy from a large company?

I just went to reset my Western Digital password and they emailed me my plaintext password, instead of providing online form to let me change it. This is really concerning to me as the site accepts/processes payments for their drives, and I have…
Douglas Gaskell
  • 1,209
  • 3
  • 10
  • 15
100
votes
12 answers

How do very big companies manage their most important passwords / keys?

Third-party password managers such as 1password, etc. are useful for people, businesses, etc. to store passwords. But I bet Facebook, Google, Twitter and other super big tech companies don't use such third-party services for their internal passwords…
Basj
  • 951
  • 2
  • 8
  • 16
98
votes
8 answers

Can anyone provide references for implementing web application self password reset mechanisms properly?

We are implementing self password reset on a web application, and I know how I want to do it (email time limited password reset URL to users pre-registered email address). My problem is that I can't find any references to point the developers at…
bdg
  • 1,162
  • 1
  • 8
  • 9
1
2 3
84 85