I was a PM at instagram in 2016 when we got a lot of these complaints from celebrities and short usernames.
Some users were getting hundreds of reset emails/day triggered by random people in the world trying to reset their password.
It's a really hard problem to solve because if these users actually forgot their password someday, they would really want those emails. We ended up creating a snooze for 30 days button at the bottom of the email as an imperfect solution to balance short-term spam and long-term lockout (with an override if the device id requesting the reset had recently been logged-in to the account).
Idk if that still exists on IG but doubt it was ever ported to FB.
If websites made a concerted effort to train their users to not "remember passwords", this could eventually be solved.
Human brains are not designed to remember:
* Passwords that aren't reused across the many dozens/hundreds of logins a person typically has
* Passwords that aren't easily guessed phrases including substrings of personal information (birthdays, children's names, etc)
* Long and strongly random
Yet good passwords need to be all of those. Christ, if websites just included a little "have you considered using a password manager?" link on the registration page. Tragedy of the commons I guess... everyone wants other companies to do the hard work of convincing a few percent per year to use them. We'll still be dicking around with this bullshit 30 years from now though.
The problem is easy. The work of implementing it is difficult and slow. Let someone else do it.
It might have been a convenience thing back when there were only a few sites on the Internet but it's unreasonable, and just not practical to expect users to memorize several hundred, good, unique passwords for all the websites and apps they'll use in their modern digital life. Login with Google/Facebook/Apple/auth0 help mitigate the number of passwords to remember, but then you are beholden to that company.
Not all single points of failure are made equal, and password reuse is a much bigger problem than the possibility of your password manager getting hacked, assuming you choose a good one.
My bigger worry is less getting hacked and more losing access to the password manager: If I use an online one, I'm once again dependant on a third party that can change their terms (or have an outage or get hacked) tomorrow; if I use an offline one, I have to manage a password database which has to be backed up, synchronized across devices, etc.
If I use a new device, I cannot log into any account if I don't have an old device at hand from which to copy the password file.
All that seems a lot more risk and hassle than choosing 2 or 3 good passwords (correct horse etc), then making variants that you can remember for each site.
If I were nefarious I would attempt to login to websites with variations of pwned passwords and you would be one pwned trivial bullshit site away from having your entire digital life pwned. This form of security is worse than nothing because it gives a false assurance of security AND a false concept of ergonomics in one go.
99.9% of people are going to be unable to remember a reasonable number of variants that aren't trivially deterministic and once things are very similar to another its increasingly easy to confuse them.
You can sync your encrypted password vault between local devices and a remote resource which has access to the vault but not the key for same. At that point is very very hard to get pwned or lose access to anything. This was a solved problem 20 years ago.
For practical purposes if you tell people to forgo password managers you are just implicitly suggesting they pick bad passwords or write them down or constantly harass support when they forget for the 10th time. Don't let perfect be the enemy of good.
The points of failure are either a single person manually remembering unsecure passwords or a password manager storing highly secure passwords in encrypted storage with multiple factors of authentication. There is no increase or decrease in points of failure, and in both cases, the password reset mechanism still exists.
I also feel like this about them, but I don't really have much knowledge on the subject. Do you have any experience or references that this might be the case?
The concept of requiring a special string to gain access to an account is massively dated, whether that string is something a human has memorised or random output from a password manager. Either the database of special strings lives in your brain, a notebook, a bit of paper, or encrypted on disk somewhere, but it's still a database of special strings.
Public key crypto never took off for account management and neither did Persona, but the current iteration with passkeys/Webauthn should hopefully be a fresh step in the right direction there.
> The concept of requiring a special string to gain access to an account is massively dated, whether that string is something a human has memorised or random output from a password manager.
I disagree.
Any system, whether computerised or not, needs to pieces of information to authenticate a person - something the person has (identification), and something the person knows (authentication).
You cannot simply rely on something the person has; that thing can be stolen and used by someone else.
If you have a reasonable replacement for "something the person knows", I'd love to hear it.
I don't think they actually have to come up with a replacement for "something the person knows," they just need to prove it's already not there to be replaced. With password managers, the password becomes more like something the person has anyway.
> I don't think they actually have to come up with a replacement for "something the person knows," they just need to prove it's already not there to be replaced.
I don't know what this means.
Once you've identified a person, you still have to authenticate that they aren't masquerading as someone else. The replacement I asked for is not "how do I identify who I am talking to", it's for "Right, now that I've identified them, how do I verify that it really is* them."*
If you want to do away with passwords, tokens are no replacement.
> With password managers, the password becomes more like something the person has anyway.
Maybe. The user still has to both identify and authenticate themselves to the password manager anyway, so you can give access to the password manager as a "something they know" anyway.
You responded to this after your second quotation, I effectively said the same thing twice in different ways to make my point. Hopefully you understand it now. To be fair, it's a somewhat complicated sentence, took me a while to put that thought into words.
> so you can give access to the password manager as a "something they know" anyway.
Mostly true. Ignoring password manager breaches, as that hurts your argument a little. Security researchers are currently of the opinion that the last LastPass security breach leaked people's encrypted password vaults, which people have somehow managed to decrypt since then. In that case, the password was something the attacker had, not something they had to know. But I think I mostly agree that access to the password manager can at least (mostly) be seen as something they know.
The association is email address to user, so some services don't even use passwords anymore. Create the user session for that current browser, and then email a time-limited login link to login.
You can choose to substitute length for randomness. A long enough random sentence works quite well.
The hard bit is generating random sentences. I suppose you could use GPT to generate a sensible but random sentence, or just go old school and pick words from a large list and make a sentence with them.
Dictionary attacks? I know any two words isn't strong enough. Four seems little better.
Besides, this only gives you one good password anyway. You won't remember five unique password constructed that way, and if you have fewer than 80 passwords that you need to all be unique, I'd be shocked. Even AOL grandmas have several dozen accounts somewhere.
It's just bad advice, no matter how much of an xkcd fetish you have.
Set a limit, you get one password reset email per day/successful password reset. If you try to do it again you are instructed to look for the email that had already been sent.
Greylisting is really a rare configuration choice in modern times and has always been a "results may vary" sort of deal. Personally I wouldn't factor those users into my considerations.
I do password resets for clients fairly routinely. I run into greylisting behavior about 2 doz times a year. Often happens in spurts.
Just last week I ran into greylisting a bunch of times, while testing a new mail server against gmail accounts. Same thing two weeks prior for a diff server. This is with SPF, DKIM and DMARC setup. Corp and personal gmail accounts - no rhyme or reason to when it happens.
That might not be greylisting like I'm thinking of, Gmail has its own secret process but in my experience they accept the message and decide if they want to deliver it or not later.
If you don't have a ton of users you don't have the "celebrities getting hit thousands of times with password reset requests" problem and if you do have tons of users, your higher volume of transitional emails makes Gmail trust you more so your issue is much less likely to happen.
Some users were getting hundreds of reset emails/day triggered by random people in the world trying to reset their password.
It's a really hard problem to solve because if these users actually forgot their password someday, they would really want those emails. We ended up creating a snooze for 30 days button at the bottom of the email as an imperfect solution to balance short-term spam and long-term lockout (with an override if the device id requesting the reset had recently been logged-in to the account).
Idk if that still exists on IG but doubt it was ever ported to FB.