39
[Question] Is this a secure way to generate passwords
(sh.itjust.works)
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
Community Rules
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
I say go for it.
If you're working on something sensitive enough that a Yubikey isn't good enough security, then the team you're working with should be enforcing other protections like MFA, which mitigate the algorithm risks.
Obliviously, if you get a chain fraudulent MFA requests, change your password approach, though.
Otherwise, it beats what most people are doing by a long way. Casual attacks are going to go through Karen in accountings weak password, not reverse engineering your Yubikey.
Edit: Your prefix length matters here, though. You don't want it to be so short that it volunteers for more scrutiny in a breached data set.
Edit 2: Marcos makes a great point about putting yourself in a position where, when you change your password, it's necessarily extremely similar to previous passwords. That's not great.