Switch to KeePassXC on your Linux/Mac/Windows machine and an app that supports KDBX on your mobile device. For convenience, sync through iCloud or OwnCloud or whatever makes you happiest... and use KeePass's ability to create unique passwords on the fly for you, like this one:
If you need to log into your google account on a weird touch screen device(looking at you, Honda's android auto implementation), do NOT have a super long random string password with a bunch of special characters in it. It will make your life hell whenever you have to type it. Its much easier to type in 8 words separated by dashes on a touch screen.
It's not hard to get KeepassXC to generate a medium-length alphanumeric password, which is IMO easier to tap-type than a passphrase, and it also has a passphrase generator.
Android Auto is essentially just using your car's screen as a remote display. I don't believe any of the real processing actually happens on your car's head unit. Your data doesn't get shared with the head unit at all.
Yeah, no, not doing that unless I get to security audit their code end-to-end. Have you seen the stories of auto APIs being completely unsecured, or just flat broken?
No, but I have read stories of auto APIs that are as broken as "change the user ID at the end of the request string, and you can see the entire account details of any other registered user".
That sort of incompetence makes me pause and think.
False equivalency: When the manufacturer fails to secure PII, plus location history, plus control points of the car's internals, etc etc... that's far worse, more obscured, and much more in need of public disclosure than "door's unlocked, free contents!"
It's neither far worse, nor more in need of public disclosure, at all, because it's the exact same, consequentially. Literally, even! In order to take advantage of your "exposed" PII, the adversary needs physical access to your car.
I was actually trying to hack the head unit and it made my life easier by being able to log into google drive on the onboard browser and download some files.
The pull request was made at the very end of 2017 and much of the discussion happened in 2018 (as did the blog post by the originator of the pull request that is linked elsewhere in this thread.)
I'm not really sure what the policy is when the linked content spans the new year.
Comments do not make the original post. We can have comments on some platforms for years after the OP. I think this way seems very logical, date the OP.
I regularly use hunter2 as the example or test value for passwords/keys. I wonder how many other people do this, and how many times it's accidentally leaked into production...
It is a pretty good password. Just "hunter" is no good because it has no digits, so of course you'd add a "1"... but wait! It's actually a 2! That's the pro security twist the hackers won't expect.
I don't see my password on the list, but I want to make sure it stays that way. I wonder if they'd be willing to add a list of passwords never to be included on any list so as to keep their users safe.
There was this spoofed page that looked just like plain, unordered text file of passwords, that intercepted ctrl-f, displayed searchbox look-alike based on your user-agent and generated entries to match the password you are typing, so it looked as if your password was there. Anyone happens to remember the URL?
To my surprise that password isn't listed by Pwned Passwords. That's much more secure than I'd expected and I commend its creators for their outstanding work.
60 comments
[ 2.9 ms ] story [ 128 ms ] thread{"5vb"9d"Q}+;FKy/N:)Hn3A#.'mJ$amkuWq%_pX
If you need to log into your google account on a weird touch screen device(looking at you, Honda's android auto implementation), do NOT have a super long random string password with a bunch of special characters in it. It will make your life hell whenever you have to type it. Its much easier to type in 8 words separated by dashes on a touch screen.
As it should be.
No password, no.
That sort of incompetence makes me pause and think.
Okay, got it...
Nothing false, it's actually equivalent.
https://support.google.com/accounts/answer/185833?hl=en
Also see: http://blog.assafnativ.com/2018/02/dolphins.html
I'm not really sure what the policy is when the linked content spans the new year.
(not sure if serious discussion is expected here, so I will leave my useless comment as is!)
Freaks me out every time I see it and I'm trying to get them to use "overwritten_on_deploy" or something similar.
If he instead routes his request to Github’s GDPR compliance department, it will be illegal for them to refuse the deletion.
> If he instead routes his request to Github’s GDPR compliance department, it will be illegal for them to refuse the deletion.
That's a good tip. If assafnativ ever wants to actually do that, I'm sure they will.
Which will of course also remove it from all the password dumps it was initially included in, and protect assafnativ from all future hacking attempts.
Definitely a great example of how the Streisand effect affects security.
Awesome idiomatic phrase!
To my surprise that password isn't listed by Pwned Passwords. That's much more secure than I'd expected and I commend its creators for their outstanding work.
Good reminder to be careful using/trusting password generators online.