The funny part about the removal of networking from the default #keepassxc package on #debian, is that they did it for "security" reasons, without thinking that the MOST INSECURE way to transfer a #password to your #browser is via the CLIPBOARD. Absolutely every running app or service can read the clipboard! And yet, that's the default way they expect users to do it now!
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
The funniest part is that no matter how many security factors we use to replace passwords (two factor auth, passkeys, security keys, etc) there's always a backup that's just another password.
Structural security trumps computational security ... or ...
Diffuse structural security trumps amalgamated computational security ...
All your big, strong passkeys in one basket is less secure than your passwords in many individual baskets ...
Trying to explain this to tech bros can resemble pushing a wagon uphill ...
Because they want to sell something, logic is not paramount.
"A password in my brain is generally safer than an app or SMS stream that can be compromised. Although a passphrase may in some cases not be computationally more secure than a token mechanism or two-factor sytem, the simple passphrase is often structurally more secure because that passphrase only links to and exposes one service target."
"I like to compare it to having one basket of eggs in one spot, and many baskets of eggs in many places. If your one basket of eggs has the master key to all the other stronger keys, is it easier to get the one basket, or the many baskets with weaker keys? So in this scenario cipher strength is not the most important factor for security. With a single basket one fox or pick-pocket or one search warrant can own all of your eggs for all your services."
🔒It's World Password Day and we'd like to remind you that a good password is like a good joke – not too short, not too obvious, and definitely not something you've told your friends, family, or everyone at the office!
Google has kicked off World Password Day by announcing that over 400 million users have used passkeys since the tech giant rolled them out, logging over one billion authentications between them.
Passkeys rely on device-based authentication, often using a fingerprint scanner or face recognition, which makes logging in faster and more secure. Despite this, our passwordless future still feels some way off — @theverge considers why.
@firstyear , the author of webauthn-rs, on #passkeys (I don't agree with everything in the article):
»starting to agree - a password manager gives a better experience than passkeys.[…]
Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your #passwords and manage them. If you really want passkeys, put them in a password #manager you control. But don't use a platform controlled passkey store, and be very careful with security keys.«
"#Apple Keychain has personally wiped out all my #Passkeys on three separate occasions. There are external reports we have received of other users who's #Keychain Passkeys have been wiped just like mine."
"At this point I think that Passkeys will fail in the hands of the general consumer population."
My conclusion would be different though. Instead of going back to classic #passwords, I recommend using #FIDO2 hardware tokens wherever you can as 2nd factor.
LastPass users targeted in phishing attacks good enough to trick even the savvy
Password-manager LastPass users were recently targeted by a convincing phishing campaign that used a combination of email, SMS, and voice calls to trick targets into divulging their master passwords
I really made a mess...
Because I tried to disable the Linux keyring, I deleted something that made web browsers unable to save the logins/passwords, so I have to log in every time I go in.
Me stupid... #Linux#Vivaldi#Browsers#Internet#passwords#Mints
How to design the most user-hostile password field, inspired by my router.
Do not allow pasting into the password field
Whenever a user presses backspace once clear the password field
Have your password requirements such that the password is not memorable. Goes without saying - don't allow passphrases.
Now your user will set a weak but memorable, highly reused password. From your user's perspective, your system is about as secure as some other system whose #passwords got leaked.
Why one of (Microsoft's) security question for account recover,
is one or more old passwords??
If I changed my password, I want there to be no trace of it.
It could have been leaked, guessed, I told it to someone I don't trust.
It doesn't make much sense of them to keep the old passwords.