My solution to the problem @… mentions:
1. Make password the •only• login field. No username/email! Just password, and you’re in!
2. Because they now identify users, passwords must to be unique across all users in a system.
3. For security reasons, require passwords to be unique across all sites on the entire Internet. A password can be used at most once in human history.
4. This renders account recovery impossible in many cases.
5. Over time, users are thus able to use fewer and fewer sites, eventually being forced offline altogether.
6. Success!
https://mastodon.social/@jwz/115776511391611416
100k most used passwords
These are the latest 100k most insecure used (hacked?) passwords. I wonder why at least a minimal regex the first hurdle can stand in the way of the attackers, i.e. apparently has not yet been widely implemented? Am I wrong, or are there reliable sources?
💥
So #Vanguard tries really hard to _disable_ any form of using a password manager to log into their site. Do they really believe that it is more secure for people to choose passwords that they can type?
I hate gut-feeling based security methods. Show me the data that this usability blocker has a measurable effect on security and that there aren't other options that don't have thes…
Passwords are a scourge foisted on elderly tech-users. :(
I just got back from a house call with a fellow who can’t remember his passwords for his email. None of his backups work. His little book of passwords, useless.
There is no support to call for help.
His only option is to create a new email and leave the other behind.
Over and over I have seen this trouble. Not always to this extent, but always the same frustration.
Passwords are elder abuse.
#techsupport #life #security
Oh. my. god. is :thunderbird: #Thunderbird's calendar broken. It keeps asking for passwords. And of course doesn't tell for which calendar 🤪. Apparently the only thing it can do is associate a base (!) url (not the full calendar url, no no no) to ONE user/password combination. You have a server with multiple accounts of which you want to access the calendars? No. You put the user@... i…
When I try to change my password, if you block paste I don't feel more secure, I wonder what other incompetence is hiding in your site's software stack.
And if you aren't letting me paste, _and_ you want annoying bullshit in my password, at least let give me a button to let me see what the fuck I am typing.
Having a password length limit, especially one as low as 15 characters, just makes me think you're doing something fundamentally wrong like storing passwords in clear text and confirms my opinion that there's a ton of other incompetence in your software stack.
This all came up when I was trying to add the mysubaru app on my wife's phone.
And a HUGE fuck you for claiming I had the wrong password when I tried to log in with the one in my password manager, but when I did a password reset, not letting me use the one from my password manager because "You can't change it to your current password."
Hups, ein bekanntermaßen unsicheres Passwort ergibt eine erstaunlich hohe neunstellige Zahl Treffer:
> This password has been seen 179,863,340 times before in data breaches!
https://haveibeenpwned.com/Passwords
Google Safe Browsing has started blocking websites using #Mailcow for self-hosting email. Google calls them dangerous, and they're right: dangerous to their data-driven business model.
Yet most people still use #Google services. They talk about privacy, even attend
@…
So to reiterate this conversation:
You: Passkeys don't have problems A, B, C and D!
Me: Actually B is still a problem.
You: Yeah well, B is also a problem for passwords! And so is F and G!
Me: Yes, but B is still a problem.
You: But if I hacked the pentagon, then Z would also be a problem for passwords!
I'm not a…
The company you work for spends millions on cybersecurity. You set up protocols, firewalls, preventive measures... And then the new girl in the office writes down her work passwords on a sticky note stuck to her laptop.
If I were an IT security professional, I'd be in jail by now after strangling someone like that girl with a power cord.
So what's a good alternative to Firefox (I'm using it when I'm not on my Mac). I don't want their new "AI Window" stuff and I don't want to support it.
It has to work on Windows and an iOS version as well, and can sync passwords between those.
Please only suggest things you personally use and like.
I'm ruling out Chrome (spyware) and Brave (homophobic owner).
(Wish Apple would still make Safari for Windows.)
I understand it's fashionable to disable password login and instead force people to retrieve one-time passwords from their mailbox. This works better if you first verify that you can actually deliver #email to your users. (Totally random thought definitely not inspired by real events.)
»The Privacy Theater of Hashed PII:
A 2020 MacBook Air can hash every North American phone number in four hours«
Good article that clearly shows that only hashing alone is not yet data safe. That's where HMAC belongs at the SHA-2 min. but also not to save passwords and the same.
🤷 https://
@… hey, need a little help. I recently created a accounts on fedi.absturztau.be @…. I massed up my keepass databases and lost access to passwords. I haven't logged in to
#crypto has 3 pluralities, each with less security guarantees and more caveats:
1. encrypt-to-self (like passwords, data-at-rest)
2. encrypt-to-someone-else (like p2p messaging)
3. encrypt-to-a-group (group messaging)
and bonus 1 "encrypt"-to-everyone (plaintext) :)
Unclear to me why no one ever mentions Strongbox in #PasswordManager reviews. It is a perfectly fine PM for macOS/iOS/iPadOS that has a rich set of sync options, most of which don't involve any 2nd/3rd party storage. It stores its databases in KeePass2.x (kdbx v4) format, so it is data-compatible with the many variations of KeePass.
(I use it with SSH/SCP sync, so as long as I’m at…
"Your email and password has been pwned in this leak. You should change the affected password"
Thanks, according to my password manager, there are about 50 different passwords associated with services where I signed up using this particular email address.
(Yes I know, create unique plus addresses - except this somewhat geriatric service doesn't do plus addresses, and besides, not all websites accept them)
I wonder which one I actually need to change. If I n…
Data potentially accessed by the hack includes things like names, usernames, emails, and the last four digits of credit card numbers.
The unauthorized party also accessed a “small number” of images of government IDs from “users who had appealed an age determination.”
Full credit card numbers and passwords were not impacted by the breach, Discord says.
The company is notifying impacted users now over email.
If your ID might have been accessed, Discord will specify that.…
I can’t overstate how seriously fucked up Ruby Central is.
They’re responsible for one of the software industry’s major supply chains in the form of RubyGems.org.
And they’re admitting to not knowing who has access to the passwords for their systems and not knowing who has downloaded logs.
Homer Simpson is more competent than that.
This gets my goat a little bit:
"...discourage use of passwords due to the inherent security risks associated with them and the additional complexity associated with supporting usernames and passwords."
Yes, okay, I get it. I _do_ understand the risks associated with passwords. But is it _really_ dramatically more complex to store them than anything else? There are pretty great tools out there already to handle this case. Personally I think it ignores the risks associat…
#FreeSoftwareAdvent KeePassXC is the best password manager I've used.
Can create strong passwords, store TOTP data, organize in folders all the keys, add comments...
#NIST have issued updated #password guidelines for businesses. Interestingly they now say that requiring special characters is no longer a recommendation, but longer passwords / passphrases (using spaces) is a better idea.
I say "interesting" because that's something I've been doing for many years, long before I discovered password managers to remember things for me.
#infosec
IN THIS HOUSE, WE BELIEVE
- passwords should be random
- data should be backed up
- anonymity should be the default
- dishwashers don’t need wifi
- the drivetrain should be airgapped from the Internet
@inthehands@hachyderm.io
