One of my new favorite things to do..

[thecomputerguy]

When a client can't remember a password, or needs a password reset, instead of trying the 15 passwords they have written on the back of a napkin I give them one chance.

I say, "Do you know what the password is for the account or should we reset it?"

They then get one chance to give me a password and then I say, it's no problem lets just reset your password.

Then I say, "Ok what password would you like to use, or would you just like me to generate one for you?"

Most people think they are taking the easy way out and putting the burden of making them a new password on me so they don't have to use their noggins!

OH NO NO NO

I fire up: https://passwordsgenerator.net/

Generate them a password like: %SL9j3pZ%sXCCcx

And say HERE YA GO! Good luck!

Most are like ... uhhh wat

Then I explain to them that it's random and complex and as about as secure as it's going to get. Then I recommend also adding 2FA to their accounts (which they never do) and then using a password manager (which they never do).

You can only lead a horse to water!

 

[Sky-Knight]

Use these instead: https://www.useapassphrase.com/

I use - or _ instead of spaces, capitalize all the words and slap a number on one of them. Vastly easier to tell them what it is over the phone this way, easier to type too.

 

[GTP]

it's random and complex and as about as secure as it's going to get

...and recorded by the website to a database that can (and probably will) be compromised at some point...just sayin..

 

[Sky-Knight]

...and recorded by the website to a database that can (and probably will) be compromised at some point...just sayin..

*CITATION NEEDED*

That link is all javascript and really isn't that hard to parse through it really quickly to disprove that assertion of yours.

I've done this, please, go do it yourself and see for yourself. Because if there's any remote calls in that script, I sure don't see it.

Or well... continue with fear and ignorance. I suppose it's a common enough approach to life.

I'm not a huge fan of using websites to generate passwords either, but with all things going "web" or "app" that's basically how the entirety of the world works now. Still, you're not wrong that firing up a local password manager, such as KeePass and using that as the generator is "safer", but I see no reason why passwordgenerator.net isn't safe.

 

[nlinecomputers]

...and recorded by the website to a database that can (and probably will) be compromised at some point...just sayin..

Not very helpful even if it did. It doesn't collect your login email so it has nothing to link it to. At best the generated passphrase could be added to a dictionary list of known passwords. The simple solution for that is to simply rearrange the words in a different order or chose the 12-word version and discard 8 of the words. Pick them yourself and save them.

 

[timeshifter]

Then I recommend also adding 2FA to their accounts (which they never do) and then using a password manager (which they never do).

And they keep their passwords in unlocked Notes on their iPhone even after I show them how to lock the note. Or they keep them in the address book on their phone.

 

[GTP]

or just

Pick them yourself and save them.

Just generate your own random password/phrase..

 

[Sky-Knight]

or just

Or just generate your own random password/phrase..

Location of the generator doesn't change the security reality of the proposed situation.

 

[HCHTech]

Because many services (especially the ones you WANT to be secure like BANKS and BROKERAGE ACCOUNTS) have limitations that thwart "really good" passwords, I've landed on just using passwords I make up on the spot using a similar style as the ones you get from O365 - 4 random letters, initial cap + one symbol + 5 random numbers. Yubk@75980 is very secure, easy to make up one or several instantaneously, and a $#*&load easier to type than a 10 or 12-character random string. I wish everything would allow passphrases - maybe next year...haha.

 

[thecomputerguy]

Because many services (especially the ones you WANT to be secure like BANKS and BROKERAGE ACCOUNTS) have limitations that thwart "really good" passwords, I've landed on just using passwords I make up on the spot using a similar style as the ones you get from O365 - 4 random letters, initial cap + one symbol + 5 random numbers. Yubk@75980 is very secure, easy to make up one or several instantaneously, and a $#*&load easier to type than a 10 or 12-character random string. I wish everything would allow passphrases - maybe next year...haha.

Just use a password manager and let it generate them for you, I use 1Password, and it's been the greatest thing I have invested in at like $60 a year.

All passwords are 25 characters, uppers, lowers, numbers, symbols, and unique. My password manager is protected by my Master Password which is long and unique. Any new login requires my Master Key which is generated by 1Password, and any new login also requires a MFA code provided by my Authy account.

And if I ever get an employee I can share what I want with them.

 

[HCHTech]

This thread was about making up passwords for clients. While I recommend managers (use Bitwarden myself), most customers decline that option, so I use the method I outlined above.