email is not accessible without a password - office365 which also has a 30 day password reset policy.
via windows desktop which is not accesible without a password, again which has a password reset policy.
So there you have at least three passwords, which are changed regularly, I suspect a lot of people will struggle and resort to cheating one way or another. Do the three passwords have to be different, are there checks between the systems to enforce this? I could probably come up with a system to remember them if I had to, but may still rely on a cryptic clue somewhere.
i assume you remember you pc/laptop login as you can't set that to save and log you in automatically, although in a home environment you can set it to have no password!
All PC's have passwords, except two media centre PC's used for watching TV and nothing else, although they do actually have passwords but are set to auto sign in to the media PC standard user account. Yes I do remember my password for Windows, also my immediate families passwords for their user accounts as I administer the home network, my server's password, my home password manager, my works password manager, the works admin account password, various pins for alarms, cash machines, pin for my phone, pin protected apps on my phone, several online banking sites (not in password manager), there is a very long list when I think about. I have entered various passwords this morning setting up a more secure router at work and wi-fi networks, but I can't remember exactly what they are.
the reason i asked about your trust in the password manager, was simply a case of how do you know they are better at it than you? it's a faceless business you most likely know nothing about? it only takes one of these password manager companies being compromised and they have all your user account details (and don't say it'll never happen).
They are better than me because previously I use to use a selection of relatively weak passwords, but over the years it became apparent that if one site was hacked that password and details could be used elsewhere, so I started using a password manager. Also articles I've read from security experts have re-enforced my view that this is more secure and a better user experience than trying to remember them all, there will always be attack vectors but like everything in life it comes down to compromises.
Someone I know has a system where they write a cryptic clue in a password protected document, that cryptic clue references a particular printed book so they can look up their passwords. This approach is all well and good until they need a password and don't have access to both items.
The bit in red bold in the quote above tells me you don't understand how password managers work, so you'll find the second link below enlightening. Mind you they could still be compromised, I suppose it would take the end users software to be compromised and then send the password database to the hackers.
https://happygeek.com/?page_id=33https://www.alphr.com/features/380377/password-managers-are-they-safe-which-is-the-best Quite an old article from 2013, but an interesting read
https://www.forbes.com/sites/daveywinder/2019/02/05/google-reveals-a-big-problem-with-passwords-on-safer-internet-day/#331feb2e5e0b https://itsecuritything.com/world-password-day-wont-solve-the-numbnuts-user-problem/I recently spoke to someone that used the same password for everything, I frightened the life out of them by showing them their email address was on
https://haveibeenpwned.com/ and that meant quite possibly their password was on a dictionary list somewhere. Hopefully they are now changing them and using a password manager.
it's the same as all the people that assume that just because they are using a third party VPN that they are safe, they know nothing about the VPN companies and what they are doing with their data.
Yes appreciate that, but I'm not even sure that they assume, they just don't know any better, most will be oblivious to websites being hacked etc. I have a VPN back to my home, so if on a connection I don't trust I just turn my devices VPN on and I know my connection is secure, well in as much us I trust my hardware and my home ISP, there's those compromises again.
it's an interesting debate to have though.
It is indeed, it does make you think.
2FA isn't really a viable option as it requires the end-user to have a mobile to get the code, which they aren't permitted to have on their person whilst in the office, and even if they did it would be tying a business account to a personal mobile.
Appreciate the difficulties security causes for both side (employee's and employers), but employee's will cheat the system to make life easier, ultimately what it needs is reliable biometric authentication. I say reliable because my finger print doesn't always unlock my phone - if I've been doing physical work then the finger print is harder to recognise.
Do the employees have no pens, hand bags, wallets etc?