this post was submitted on 12 Mar 2024
39 points (93.3% liked)
Cybersecurity
5763 readers
97 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
Notable mention to [email protected]
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I say go for it.
If you're working on something sensitive enough that a Yubikey isn't good enough security, then the team you're working with should be enforcing other protections like MFA, which mitigate the algorithm risks.
Obliviously, if you get a chain fraudulent MFA requests, change your password approach, though.
Otherwise, it beats what most people are doing by a long way. Casual attacks are going to go through Karen in accountings weak password, not reverse engineering your Yubikey.
Edit: Your prefix length matters here, though. You don't want it to be so short that it volunteers for more scrutiny in a breached data set.
Edit 2: Marcos makes a great point about putting yourself in a position where, when you change your password, it's necessarily extremely similar to previous passwords. That's not great.