Challenge based MFA applications are more secure than the push notification based MFA.
A careless admin might tap on the Approve button easily on push notification based MFA, whereas challenge requires the user to know the number to be submitted. Since s/he doesn't know it (because someone else triggerrd the MFA), challenge-response can't be completed and the account will not be able to accessed.
By me at Forbes: No need to panic, and using a password manager is better than not in most use cases, but this AutoSpill vulnerability can expose credentials from PMs…
What I would interested in if @bitwarden and KeepassDX are also affected since they are part of the most used and secure Password ßanagers on Android, sad to see that they excluded them from their testing.
A number of popular mobile password managers are inadvertently spilling user credentials due to a #vulnerability in the autofill functionality of #Android apps #privacy
⚠️ 23andMe just sent out an email trying to trick customers into accepting a TOS change that will prevent you from suing them after they literally lost your genome ro thieves.
Do what it says in the email and email arbitrationoptout@23andme.com that you do not agree with the new terms of service and opt out of arbitration.
If you have an account with them, do this right now.
@dko@thomasfuchs@pjohanneson same reason your bank is still using sms for 2fa. people get upset if you force them to do it the right way. and they get outraged if you don’t. This would be the perfect setup for #GWAS on #password and #2fa hygiene
Most overused passwords in the world — make sure yours isn’t on the list
Of the world’s 20 most common passwords, 17 can be cracked in less than a second, so think twice before you decide to key in “123456” or the even more creative “password” to secure your online accounts.
I've been screaming this for years. Service providers that provide authentication should do these two things at a minimum:
Require at least 12 characters.
Use ZXCVBN to estimate password strength and require a score of 4.
Interestingly enough, if you do those two things, you don't need stupid password complexity requirements, and you don't need a blacklist, as 12+ characters with a ZXCVBN score of 4 won't show up in password database breaches.
@atoponce#BBVA#bank in #Italy has a 6char MAX alphanumeric only #password. Which is stored in #plaintext since they’ll ask for characters of your password when calling them via phone. And of course there’s no #2fa for login
I’ve seen an announcement for improved security somewhere but it’s still like I’ve described at the time of writing 🤡
Ma c'è un problema, se per qualche motivo non potete più generare codice OTP per la verifica in due passaggi non riuscirete più ad entrare e non potremo aiutarvi.
Quindi fate sempre il backup criptato di tutti i dati e usate un #OTP multipiattaforma da installare su più dispositivi come #Authy.
Se ne usate altri consigliateli nei commenti, grazie 🙏
As a native English speaker living in a country where English is the official and primary language, I am naive to #password generators in other countries and languages.
In those in countries where English is not the official primary language, what characters are used when generating #passwords?
For example in English, the 94 graphical ASCII characters are used in every password generator I've seen for English speakers.
Note: I'm not interested in passphrases built from word lists.
It's almost a year since I gave up on trusting cloud #password vault providers and moved back to a local KeepassXC (with LOCKSS backup strats). Very happy with that decision. #infosec
At some point you hit diminishing returns. Once you get past the output size of any likely #password hashing you don't get any real-world security increase. E.g. Argon2 will typically be used with a 256-bit output https://www.rfc-editor.org/rfc/rfc9106.html#name-parameter-choice but can be used with longer outputs.