this post was submitted on 28 Aug 2024
96 points (90.0% liked)

Cybersecurity - Memes

1975 readers
2 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
 

Sadly, the support for passkeys is still lacking.

you are viewing a single comment's thread
view the rest of the comments
[–] JohnDClay@sh.itjust.works 7 points 2 months ago (3 children)

If you can remember all your passphrases, is randomly generated enough of a benefit to justify having a centralized vulnerability?

[–] GenderNeutralBro@lemmy.sdf.org 10 points 2 months ago (1 children)

I couldn't possibly remember all my passphrases unless I reused them everywhere, which would leave me with an arbitrary number of centralized vulnerabilities, under the responsibility of people who don't give a shit.

[–] JohnDClay@sh.itjust.works 1 points 2 months ago (1 children)

Like storing them in planetext? If they're not, I wouldn't think similarities in part of the input would lead to a vulnerability.

[–] GenderNeutralBro@lemmy.sdf.org 2 points 2 months ago

Sure, why not?

Passwords have been leaked from many companies you'd expect to have decent security policies. I have no visibility into that, so I would not assume competence across an arbitrary number of sites. God only knows how many of the services I use store my password in plaintext, or improperly hashed.

[–] calcopiritus@lemmy.world 2 points 2 months ago

I don't know how many accounts an average internet user has, but I'm pretty sure it's well above the human's memory capabilities. Assuming this is true, there are 4 scenarios:

  1. You use the same password everywhere, so any service leaking it means it's leaked for every other one.

  2. You use different passwords every time, so you have to have a centralized vulnerability where you store them all.

  3. You memorize some, and the rest do the same as 2.

  4. Like 1. Except you memorize more than 1 password.

  5. Is the least secure but the easiest.

  6. Has the centralized vulnerability problem.

Assuming that in 3. You don't store the most critical passwords (email, banking, etc.) it's the most secure. But requires a lot of care and memory. And also has the highest penalty if you forget a password.

  1. Is just 3. But worse (but don't need to check the password storage).

So instead of comparing 2. To 5. (5. Being a magical scenario where you can remember all your passwords that are different from each other). We should compare 2. to 3. (Or 4. Instead of 3. If you really don't want a password storage).

  1. Is massively more convenient than 3. The only advantage of 3. In convenience is that you don't need to have a password storage for some passwords. Which I don't think it's comparable to having to remember passwords.

The only security benefit of 3. Over 2. Is that your critical accounts are safe if that password storage is breached.

How likely is it to be breached though? If you are serious about security you should be using an actual password manager, which is focused on security. The only way to get passwords out of it should be to put in the master password, which should be impossible if the master password is good enough (which you can afford since you only need to remember one password). Additionally, you can use multiple factors, which might not be available on normal websites.

The only moment really where a password can be intercepted is while it is in your clipboard. Which is why TikTok reading the user's clipboard without consent should be taken way more seriously than it had been.

Of course every method fails with the wrench to the head technique (insert xkcd here).

[–] brossman@infosec.pub 2 points 2 months ago

in that case, the password manager is just a (hopefully offline) backup. still a good idea imo.