fsebugoutzone.org:9999

       Post 9vUvazT5srL73QLdy4 by fallenhitokiri@infosec.exchange
 (DIR) More posts by fallenhitokiri@infosec.exchange
 (DIR) Post #9vUEghSTSfZQuDXBrs by leip4Ier@infosec.exchange
       2020-05-27T23:08:08Z
       
       0 likes, 0 repeats
       
       hot take: online services should have a &quot;never ever reset my password / 2fa through tech support&quot; checkbox. maybe with something like a three-minute video you have to watch before enabling it, so no one could accidentally do that.
       
 (DIR) Post #9vUFiaR0e6xJeiJS0e by wolf480pl@mstdn.io
       2020-05-27T23:19:39Z
       
       0 likes, 0 repeats
       
       @leip4IerMany sites disable password reset when you enable 2FA. You get a set of single-use recovery codes, and that&#39;s your only way of resetting 2fa/password if you lose access. They will also refuse resetting password/2fa through tech support.
       
 (DIR) Post #9vUFuEPuKj4eqNLlWy by leip4Ier@infosec.exchange
       2020-05-27T23:21:48Z
       
       0 likes, 0 repeats
       
       @wolf480pl i don&#39;t know a single website that works like this. maybe github, which is annoying as it tells me to link my phone number each time i log in, but i&#39;m not completely sure their support would refuse a request.
       
 (DIR) Post #9vUumawSnX0oVZ3TO4 by fallenhitokiri@infosec.exchange
       2020-05-28T06:59:51Z
       
       0 likes, 0 repeats
       
       @leip4Ier that should be the standard not an opt in :/
       
 (DIR) Post #9vUutSJtFlHLnIHgPI by leip4Ier@infosec.exchange
       2020-05-28T07:01:04Z
       
       0 likes, 0 repeats
       
       @fallenhitokiri i think it isn&#39;t viable from a business perspective
       
 (DIR) Post #9vUvazT5srL73QLdy4 by fallenhitokiri@infosec.exchange
       2020-05-28T07:08:56Z
       
       0 likes, 0 repeats
       
       @leip4Ier I guess it’s a call to make if a data breach or lost account is worse.I would never want my bank to do that but rather force me in person to show up to reset my online account. Twitter - as it carries some brand value - hard to tell. Imgur - sure, send me my plain text password (kidding)
       
 (DIR) Post #9vUxZSCeHGoRVE3E0W by leip4Ier@infosec.exchange
       2020-05-28T07:31:03Z
       
       0 likes, 0 repeats
       
       @fallenhitokiri google? a company that doesn&#39;t have physical presence in most locations, but is important for people&#39;s daily lives. i mean, trusting emails, photos and money (android software licenses, etc) to a single company is a bad idea on its own, but the possibility of losing access to all of that would be scary for most people. i think the possibility of a 3rd party getting access feels less real. you can imagine yourself forgetting your password, not so much someone else resetting it.
       
 (DIR) Post #9vUxjZf1PB3pWn9EmW by fallenhitokiri@infosec.exchange
       2020-05-28T07:32:53Z
       
       0 likes, 0 repeats
       
       @leip4Ier I’d argue that a company that reaches this size / importance for people’s every day life should be required to work with a higher standard - like a video call verifying an identity with a government issued document ex (that’s what online banks in Europe do for example)
       
 (DIR) Post #9vUxkrVYXD1XAbKo8O by leip4Ier@infosec.exchange
       2020-05-28T07:33:07Z
       
       0 likes, 0 repeats
       
       @fallenhitokiri or email providers in general(remembered the stories of blizzard asking you to provide a photo of your id for the first time to delete your account and realized that physical presence is not the only issue)
       
 (DIR) Post #9vUxtnbOQSrzf8KI9A by leip4Ier@infosec.exchange
       2020-05-28T07:34:45Z
       
       0 likes, 0 repeats
       
       @fallenhitokiri now thinking, that&#39;d make sense. introduce two tiers of accounts, verified with a government-issued id and &quot;anonymous&quot;, with the latter being impossible to recover.
       
 (DIR) Post #9vUy5jM42iIrxsqUzY by fallenhitokiri@infosec.exchange
       2020-05-28T07:36:54Z
       
       0 likes, 0 repeats
       
       @leip4Ier I remember sending my ID to them twice - and I wasn’t even logged out it was to resolve a dispute with their online shop where good weren’t delivered. Horrible process, technically illegal with the new IDs in Germany.
       
 (DIR) Post #9vV3A0UGmpVs1rXgTg by leip4Ier@infosec.exchange
       2020-05-28T08:33:39Z
       
       0 likes, 0 repeats
       
       addition: it would probably make sense to enable this feature either upon registration or in a few days after the user request. otherwise, attackers would reset passwords via tech support, log in and make it impossible to reset the password again.or there should be exceptions for cases with hacked accounts, especially hacked through a breach and not a weak passwordcomplicated