28
Password reuse is rampant: nearly half of observed user logins are compromised
(blog.cloudflare.com)
this post was submitted on 19 Mar 2025
28 points (100.0% liked)
Cybersecurity
6732 readers
213 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This feels a little too tinfoil-hat for me. The reality is that one strong password is going to be more secure than 50 weak passwords. If you use something like a passphrase with 30+ characters, cracking it with today’s methods will take longer than the heat death of the universe. Yes, it means all of your eggs are in one basket. But that’s why it’s important that basket is protected like Fort Knox.
And change the master password every year or two, which likely also upgrades the key used to encrypt your secrets. Someone breaking into your password manager is a lot less likely than someone breaking into one of the dozens or even hundreds of services you probably reuse passwords on.
Exactly. Without a password manager, every single service you have reuses your password on is a security risk, because any one of them will compromise the rest. And it has repeatedly been demonstrated that even large software companies don’t follow best practices regarding passwords. So any one of them being compromised is a risk. With a password manager, as long as it is properly encrypted and secured with a strong master password, the only point of attack will be your master password.
It’s less about keeping all your eggs in one basket, and more about reducing attack vectors that hackers have access to. With reused passwords, every single individual service is a potential vector of attack.
And do yourself a favor and get MFA on that password manager. That dramatically increases the skill level needed to hack your master pass.
Several of the larger password managers have started requiring MFA on new accounts. Bitwarden, for example, now requires at least an email verification. They encourage you to use other MFA methods instead, like an Authenticator app. But they at least have the email as a last-ditch “fucking fine, you really don’t want to install an Authenticator app? Here, we’re forcing you to use this as the bare minimum” backup.
And that's how it should be. In fact, I switched banks to the only one I could find that had MFA, because I value security as an option.
Nah a lot of those services are ripe for abuse... The correct answer is to just use your own... keepass for "offline" on a USB stick type of thing... or host your own vaultwarden.