111
top 50 comments
sorted by: hot top controversial new old
[-] frauddogg@lemmygrad.ml 40 points 11 months ago* (last edited 11 months ago)

Didn't Okta just straight up get all their customer data hoovered up by hacker squad

[-] CannotSleep420@lemmygrad.ml 19 points 11 months ago

My employer uses Okta for SSO lul

[-] frauddogg@lemmygrad.ml 8 points 11 months ago
load more comments (1 replies)
[-] CarbonScored@hexbear.net 37 points 11 months ago* (last edited 11 months ago)

Every 'passwordless' solution to passwords always ends up being the informational equivalent of 'passwords, but the method is changed'. Biometrics are just a once-in-a-lifetime password that's entered differently, password managers are just all your passwords, but behind one big password.

Even 2FA is just "password you know" and "password your device knows".

Not saying these solutions don't have value, but to say passwords are outdated is a bit silly.

load more comments (2 replies)
[-] nat_turner_overdrive@hexbear.net 33 points 11 months ago

Guy who thinks passwords are outdated, setting a new password for his bank app: Hmm, how about Christmas123!, just like all my other logins so I don't have to worry about forgetting it!

[-] zifnab25@hexbear.net 11 points 11 months ago

A fundamental problem with passwords is that you either have a "secure" selection of large, distinct, constantly rotating codes that you have to keep track of on paper/in an app (insecure!) or a single memorable code that - once it is cracked - exposes all affiliated systems (insecure!)

There's a serious argument to the effect that a physical id tied to a digitally managed rotating set of large arcane codes is at least as secure as the paper/app-based list of hard codes. The big problem with this technology is that it requires a more complex hardware interface with more attendant IT support. So you're talking about $$$ that people don't want to spend for additional technical security.

Two-factor authentication is cheaper and easier than biometrics. So we've settled on that instead.

[-] Des@hexbear.net 10 points 11 months ago

just like how every one of my work passwords that i never set but just came with the IT gear i use is "season two digit number"

[-] Thordros@hexbear.net 31 points 11 months ago

I simply use the fingerprint scanner with my balls. They'd never think to check there.

[-] AernaLingus@hexbear.net 13 points 11 months ago

CW: pretty gross even by my standardsI use my butthole and make sure to get a new hemorrhoid every 120 days to reduce my vulnerability to butthole database leaks

[-] Thordros@hexbear.net 8 points 11 months ago

If they do think to check there, I'd see that as a net win.

[-] jack@hexbear.net 29 points 11 months ago

fingerprints, face scanning... my OnePlus just keeps asking for pics of my asshole before I can unlock it. Is this just a China thing?

[-] LaGG_3@hexbear.net 17 points 11 months ago

It's like a thumbprint, but more secure because you don't typically rub it on every surface. very-smart

[-] jack@hexbear.net 19 points 11 months ago

you don't typically rub it on every surface

I don't think you're using your asshole right

[-] sovietknuckles@hexbear.net 16 points 11 months ago* (last edited 11 months ago)

As a fellow OnePlus haver, I have LineageOS (which is privacy-focused) installed and am not asked for pics of my asshole

[-] President_Obama@hexbear.net 26 points 11 months ago

I also use lineageos but still send them pictures of my asshole since I don't want them to feel left out

I tip my landlord in butthole pics (he does not like them)

[-] zifnab25@hexbear.net 11 points 11 months ago

Please drink the Diet Mountain Dew Verification Can.

[-] Wertheimer@hexbear.net 27 points 11 months ago

I was talking to a schoolteacher the other day who was getting re-fingerprinted for the Nth time. Their last fingerprinting was two years ago. Same job, same county, etc. Everyone was justifying it because of "privacy." But, like, it's all going to the same database, where the same people have access. Are they destroying the records every two years (doubt ), or did the authorities just forget their own passwords?

[-] 7bicycles@hexbear.net 27 points 11 months ago

If you get into the reaaaaaaaaaaaal nitty gritty of security regarding biometric factors shit turns real weird eventually. Like "How do we know that fingerprint is still attached to a living person?" type stuff.

I'd be sure as hell this isn't what happened here, just sort of a fun fact. Also why I think thinking biometric factors as safe is fucking insane, exactly because they're fairly immuteable. You get one data leak on your fingerprint-security-database and now you can never use that shit again if you're taking it seriously. And if you don't expect nation-state-level actors as a threat vector, why the fuck are you taking fingerprints?

It's mostly just technologically illiterate people falling for it imo

[-] Frank@hexbear.net 11 points 11 months ago

Mmm.

I should go print a silicon printer that can make fake fingers based on, idk, someone's fabvorite ice cream flavor or something. Really hasten the slide in to the security abyss.

Either way, I still use passwords for everything, and every password is unique. Biometrics my right tit they don't even have t beat that out of you, then can just cut something off. At least with the password manager it has to either have a vulnerability or they need access to state-level legal muscle to force the people who designed it to open the lock. Plus if one password gets compromized nothing else is unless it's the master, and even with the master they still need access to the password locker to do anything with it.

[-] 7bicycles@hexbear.net 14 points 11 months ago

I should go print a silicon printer that can make fake fingers based on, idk, someone's fabvorite ice cream flavor or something. Really hasten the slide in to the security abyss.

Pretty much everytime you look into this type of stuff "good print of fingerprint" does the job just fine, you don't even have to get that fancy with it.

Biometric security is better understood as a convenience product.

load more comments (3 replies)
[-] 4zi@hexbear.net 11 points 11 months ago

I’ve asked the county clerk this once when I had to get my fingerprints done just because I was working in a different building 3 blocks away, but basically every time you renew certain trainings or certificates it’s required regardless of how many times you’ve done it before

[-] Wertheimer@hexbear.net 11 points 11 months ago

I did some googling and this was the best explanation I could find. (Most everything else was just "because that's the requirement.")

Maybe I'm too paranoid but I still think the feds would figure out how to fuck with me, if they wanted to, based on the prints I had taken for a job I held >10 years ago.

[-] 4zi@hexbear.net 9 points 11 months ago

That would require the labyrinthine hostile intermingling of state and federal bureaucracies to work together, so you’re probably fine thumb-cop

[-] 7bicycles@hexbear.net 9 points 11 months ago

I feel like this is a very Chief Wiggum moment in the sense that it wouldn't help to prove you got your bike stolen but it would help to pinpoint you at the scene of some crime

[-] sovietknuckles@hexbear.net 26 points 11 months ago* (last edited 11 months ago)

"The way forward" and not "more secure" because cops usually don't need a warrant to use your own biometrics to unlock your phone

[-] save_vs_death@hexbear.net 25 points 11 months ago

Passwords are outdated in the sense that the current best practice is to use a password manager that automatically generates a unique high entropy password (read: completely garbled mess no human would ever remember) for every website or service you use. Most of the replacement for them, however, are less secure garbage that can easily be obtained either through social engineering or by the authorities, so you know.

[-] envis10n@hexbear.net 15 points 11 months ago

Even then, you're better off with a passphrase as they are longer, easier to remember, and are harder to brute force. It's like a dictionary resistant password.

[-] YearOfTheCommieDesktop@hexbear.net 13 points 11 months ago* (last edited 11 months ago)

depending on what you mean by passphrase, "dictionary resistant" is kind of the opposite of how I'd describe them. Sure they'll be long and unique but an english language dictionary will surely make bruteforcing them a lot easier

[-] Dolores@hexbear.net 12 points 11 months ago

multiple language passphrase and proper nouns tito-laugh

[-] jack@hexbear.net 10 points 11 months ago

that's why you use pig latin

[-] YearOfTheCommieDesktop@hexbear.net 12 points 11 months ago

I'll stick with 1337 5P33K

[-] 7bicycles@hexbear.net 8 points 11 months ago

that's very common, widely understood and easy to replicate, i.e., not that great

make up your own 1337 5p33k with 3 characters changed

[-] RyanGosling@hexbear.net 11 points 11 months ago

I simply become the zodiac and convert my pass phrase to a cipher

load more comments (1 replies)
[-] Frank@hexbear.net 7 points 11 months ago

From what I understand it doesn't help at all. I'm not a crypto (cool crypto, not fake banking) guy but from what I know passphrases generate much entropy. That said, I stick with passwords that are easier to enter, but still pretty high entropy

load more comments (1 replies)
[-] Clicheguevara@hexbear.net 11 points 11 months ago

The absolute best practice is to add random spaces that don't correspond to syllables. A 10 character password can go from taking a few seconds to crack to several hundred years with a few well placed spaces.

That said, there are databases out there that don't like spaces, and for some reason lots of financial institutions are this way.

[-] envis10n@hexbear.net 10 points 11 months ago

I just hate fucking sites that tell me it has to be under 16 characters. Like wtf

load more comments (1 replies)
[-] Sphere@hexbear.net 10 points 11 months ago* (last edited 11 months ago)

A randomly-generated password can be a lot shorter than an equivalent-strength passphrase, actually:

If you have a dictionary with 25,000 words in it, and you randomly select 5 of them, your passphrase will have a strength of about 73 bits of entropy, which is decent (but actually less than the NIST recommendation of 80 bits, as it happens; to get there, you'd need 6 words).

A similar-strength randomly-generated password consisting of letters (upper- and lower-case), numbers, and a selection of 10 possible symbol characters (so, a total spread of 26 + 26 + 10 + 10 = 72 possible characters) would only need to be 12 characters long (and would have a strength of about 74 bits of entropy--13 characters would top 80 bits).

The passphrase would take over 300 years to brute-force at 1 trillion guesses per second, but the extra bit of entropy in the 12-character password means it would take 600 years to guess that one at the same rate.

load more comments (5 replies)
[-] 4am@lemm.ee 8 points 11 months ago

That’s why stuff like webauthn is better; if we’re going to maintain a list of garbled text, let’s make it secure one-way encrypted keys instead, which are way stronger.

You’re still only as secure as your password manager, but no one’s gonna decrypt your private key from a stolen database of public keys unless some really monumental exploit is discovered - and if that happens we’ve got MUCH bigger problems.

[-] combat_brandonism@hexbear.net 23 points 11 months ago

Yes I love getting an email every single time I log in to a website. Great UX, nothing obnoxious about it.

[-] D61@hexbear.net 16 points 11 months ago

Me just sitting here installing a pin tumbler lock on my computer that I need to turn every time I want to log in to a website

[-] Ciel@lemmygrad.ml 15 points 11 months ago

ummm have they heard of 'passkeys'? like that thing that solves all these issues without any biometrics and personal information and cant be stolen as easily? like one login on a malicious device, and boom all your biometric data is now in the hand of the attacker. physical passkeys? good luck compromising that lol

also yes, this is obviously so cops can get to into your stuff and company's can collect your biometric data

[-] YearOfTheCommieDesktop@hexbear.net 9 points 11 months ago* (last edited 11 months ago)

to be fair the way most fingerprint scanners are implemented it isn't possible to extract the actual fingerprint (that I know of). but with a malicious device I guess they probably could procure a different type of scanner

Agreed tho I will stick with a master password I know and a hardware token that I have, probably until I die, unless something way better comes out that doesn't allow legal compulsion

load more comments (2 replies)
[-] chickentendrils@hexbear.net 13 points 11 months ago

There's plenty of valid "password less" auth that would be great to have. SQRL by GRC is pretty much perfect, just needs adoption. Physical tokens and such are also very secure.

[-] Ericthescruffy@hexbear.net 9 points 11 months ago

Passwords are fine with two factor authentication right? Like I have two factor authentication on my phone for pretty much everything either through text or a full on authenticator app.

load more comments (4 replies)
[-] Evilphd666@hexbear.net 7 points 11 months ago

My password is post-hog

load more comments
view more: next ›
this post was submitted on 04 Dec 2023
111 points (100.0% liked)

the_dunk_tank

15911 readers
613 users here now

It's the dunk tank.

This is where you come to post big-brained hot takes by chuds, libs, or even fellow leftists, and tear them to itty-bitty pieces with precision dunkstrikes.

Rule 1: All posts must include links to the subject matter, and no identifying information should be redacted.

Rule 2: If your source is a reactionary website, please use archive.is instead of linking directly.

Rule 3: No sectarianism.

Rule 4: TERF/SWERFs Not Welcome

Rule 5: No ableism of any kind (that includes stuff like libt*rd)

Rule 6: Do not post fellow hexbears.

Rule 7: Do not individually target other instances' admins or moderators.

Rule 8: The subject of a post cannot be low hanging fruit, that is comments/posts made by a private person that have low amount of upvotes/likes/views. Comments/Posts made on other instances that are accessible from hexbear are an exception to this. Posts that do not meet this requirement can be posted to !shitreactionariessay@lemmygrad.ml

Rule 9: if you post ironic rage bait im going to make a personal visit to your house to make sure you never make this mistake again

founded 4 years ago
MODERATORS