• Dash@beehaw.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    My argument for it being worse than useless and actively harmful is changing a password needlessly does open the possibility of it being scraped, observed, or otherwise compromised during the password change process. It’s wildly over-cautionary on my part to make that claim, but wild speculation tends to be the name of the game.

    If you’re changing passwords, there is a period in time when that password is in plain text or completely visible in some form. If there’s a camera, if someone is secretly watching, if it’s somehow observed even remotely via screen recording or logging, that password during the process of it being changed is now compromised in a way that wouldn’t have happened if someone’s password manager was simply auto-filling the password in. Of course, there are much worse issues going on if this is a real concern but, again, security tends to be about finding the wildest and outlandish things that could be compromising and nipping them before they can be exploited.

    Arguably even typing your password with someone around can be compromising. I work in IT, and I can’t even count the number of times I’ve worked with an end user and frustratingly observed them chicken peck a password that, if I was malicious, I could make an educated guess and probably get in before the lockout is concerning.

    I’ve guessed more than one phone passcode from end users requesting help just by seeing where their thumb moved when unlocking it. I wouldn’t tell them that, but it’s pretty easy to guess when someones password is 1972 when they hit all of the corners on their screen. At this stage of the game passwords themselves are a vulnerability. In comparison, cracking faceID or a thumb print is WAY harder and requires way more preplanning.