Post AQuToLUlhb7dJgvqpU by be@floss.social
(DIR) More posts by be@floss.social
(DIR) Post #AQuTbBGMR0kDohup5E by be@floss.social
2022-12-23T14:27:09Z
1 likes, 0 repeats
Abolish passwords.
(DIR) Post #AQuTbBuQ24mroweoWO by be@floss.social
2022-12-23T14:40:25Z
1 likes, 0 repeats
Infosec people be like yelling at users to use password managers instead of yelling at developers to implement WebAuthn.
(DIR) Post #AQuTbCOYE2tFKOksUK by be@floss.social
2022-12-23T15:02:14Z
0 likes, 0 repeats
Who would've guessed that storing all your passwords in a giant honeypot with everyone else's passwords on the same server was a bad idea.
(DIR) Post #AQuTbCtkM3qMt9Ln72 by be@floss.social
2022-12-23T15:06:35Z
1 likes, 0 repeats
Infosec people: Don't write down your passwords! Except on this one server run by this one company where everyone else writes them down.
(DIR) Post #AQuTbEdrs4KYITw8dk by be@floss.social
2022-12-23T15:13:42Z
1 likes, 0 repeats
Infosec people: Don't tell anyone else your passwords! Except this one company that runs a business collecting your passwords.
(DIR) Post #AQuTbGZKhttKGzpXqi by be@floss.social
2022-12-23T17:30:04Z
1 likes, 0 repeats
Infosec people: Don't tell anyone else your passwords! Except these two companies that run businesses collecting your passwords. Just not that one company.
(DIR) Post #AQuTbGboYfsOOgzWiW by be@floss.social
2022-12-23T16:37:41Z
1 likes, 0 repeats
Authenticating with remote servers by exchanging a shared secret is a bad idea and always has been.
(DIR) Post #AQuTbILE7JnPlpFJ8i by be@floss.social
2022-12-23T17:01:11Z
1 likes, 2 repeats
I wish people talked about passwords the same way they talk about memory unsafe programming languages.
(DIR) Post #AQuTbKED6NN7cdyjTs by be@floss.social
2022-12-23T20:45:38Z
1 likes, 0 repeats
Why do memory unsafe programming languages get so much more attention problemitizing them than passwords? I think passwords are a much bigger risk for most people than unsafe memory access which will most likely cause the affected program to crash. Passwords are routinely exploited by phishing and mass leaks of password hashes from hacked servers.
(DIR) Post #AQuTbKJslHuPuEdGK0 by be@floss.social
2022-12-23T17:24:52Z
1 likes, 0 repeats
Password managers are to passwords like address sanitizer is to memory unsafe programming languages. They're mitigations, but do not solve the problem. The only way to solve the problem is to switch to a fundamentally different solution.
(DIR) Post #AQuTbLxydhZj0sOnSK by be@floss.social
2022-12-23T20:49:50Z
1 likes, 0 repeats
I guess solving practically important security issues are not as exciting to developers as a shiny new programming language.
(DIR) Post #AQuTbM9JxWeJa3hr8a by be@floss.social
2022-12-23T20:39:15Z
0 likes, 0 repeats
Unlike address sanitizer, password managers create novel risks that do not exist without using them.
(DIR) Post #AQuTl1b1ELiijQGvyK by leah@blahaj.social
2022-12-23T20:45:32Z
0 likes, 0 repeats
@be *cough* https://www.rapid7.com/db/modules/exploit/linux/local/asan_suid_executable_priv_esc/
(DIR) Post #AQuTl26DMMfqIArqb2 by be@floss.social
2022-12-23T20:46:23Z
1 likes, 0 repeats
@leah Not very relevant because ASAN generally isn't enabled in production, only as a debugging tool.
(DIR) Post #AQuToKubs2CNVY0yTA by mahmoudajawad@mastodon.online
2022-12-23T15:22:04Z
0 likes, 0 repeats
@be I'm more into 2FA and MFA than going password-less, as it implies we have to implant our phones in our arms or else we shall not be able to login again. I don't know for sure but password is a real problem that not enough resources are being put into solving it.
(DIR) Post #AQuToLUlhb7dJgvqpU by be@floss.social
2022-12-23T15:34:40Z
1 likes, 0 repeats
@mahmoudajawad I'm not sure what you mean? You can register multiple devices to an account to avoid losing access if you lose a single device.
(DIR) Post #AQuoiYLF7nymSVYVwO by konni@toot.kartonrad.de
2022-12-24T00:49:31Z
0 likes, 0 repeats
@be passwords are cringeYes But alsoMemory unsafe languages are a pretty big cause for RCE shit right?I mean ok javascript also frequently has baad rce bugs in packagesBut i mesn it's fucking javascriptAnd java also had this really bad one in the log package thingBut i mean it's fucking javaMemory safety is good though
(DIR) Post #AQwqN2mTrNrAib5SzY by be@floss.social
2022-12-24T21:28:49Z
0 likes, 0 repeats
If you're wondering how to abolish passwords, Yubico recently published some great blogs about passkeys:https://www.yubico.com/blog/passkeys-and-the-future-of-modern-authentication/https://www.yubico.com/blog/a-yubico-faq-about-passkeys/
(DIR) Post #AQwqN3URDx1CuveZVY by be@floss.social
2022-12-24T21:39:53Z
0 likes, 0 repeats
Google and Apple have more details about how they're implementing multi-device syncing of copyable passkeys in ways that are resilient to losing all registered devices. Of course, there are security tradeoffs in doing that, and if those aren't acceptable for your threat model, you can use hardware security keys like Yubikeys. But for most people, this is going to be a huge step up in security from passwords:https://security.googleblog.com/2022/10/SecurityofPasskeysintheGooglePasswordManager.htmlhttps://support.apple.com/en-us/HT213305
(DIR) Post #AQwqN488qKmGu4EHOS by be@floss.social
2022-12-24T22:13:42Z
0 likes, 0 repeats
Summarizing these systems:There's a public-private key pair generated for each account you register for. The server stores the public key, and the private key is stored by an online service to sync to multiple devices. The private key is in turn encrypted by a second public-private key pair, where the private key is stored in secure hardware on your devices. This lets you access your collection of account passkeys only from the devices you authorize.
(DIR) Post #AQwqN4e2viIYV19l7g by be@floss.social
2022-12-24T22:15:59Z
0 likes, 0 repeats
This is great because it solves the dilemma of registering every hardware authenticator with every online account. I have 4 Yubikeys. I intended to give one to a geographically distant friend as a backup, but that raises the question: when to do that? No accounts I register after sending away that backup Yubikey will be available using that Yubikey.
(DIR) Post #AQwqN5MMGxkAiRt9Bw by be@floss.social
2022-12-24T22:21:05Z
0 likes, 0 repeats
With copyable passkeys, I could register new accounts and use those newly registered passkeys using any device I have authorized to access my stored vault of passkeys.
(DIR) Post #AQwqN5scL1Y2KUyuTQ by be@floss.social
2022-12-24T22:41:48Z
0 likes, 0 repeats
As far as I can tell, there's nothing about this that requires the vault storing the account passkeys to be online. But it's end-to-end encrypted; if someone compromised the server, they still couldn't compromise your accounts without the private key from one of your devices. The weakest link becomes the mechanism for authorizing new authenticators to access the vault.
(DIR) Post #AQwqN6IUmoFRcl5ZoG by be@floss.social
2022-12-24T22:55:37Z
0 likes, 0 repeats
Google's and Apple's implementations will have ways to recover vaults in case *all* authorized devices are lost. This is probably good enough for most people most of the time and makes sense for large companies to reduce their support costs. I wouldn't want to leave that weak link available though. This is where sending a Yubikey to a friend could come in. In a worst case scenario of losing my desktop, laptop, and phone, I could still use that Yubikey to authorize a new device.
(DIR) Post #AQwqN6jn9K5AzPrNM8 by be@floss.social
2022-12-24T23:23:42Z
0 likes, 0 repeats
The Yubikey backup would only be needed in a worst case scenario of losing *all* authorized devices (natural disaster, house fire, robbery). To add a new device, its trust can be bootstrapped from an existing device using the new Bluetooth protocol for authorizing a nearby device: https://www.youtube.com/watch?v=SWocv4BhCNg&t=145sor keep a second Yubikey at home to setup new devices
(DIR) Post #AQwqN7BnTCU4OGxk0W by kawaiipunk@sunbeam.city
2022-12-25T00:14:21Z
0 likes, 0 repeats
@be FIDO/WebAuthn is great. I just wish more things supported it. Mostly it's just used as a 2FA option rather than for passwordless login.
(DIR) Post #AQwqN7bfuzBTgX4PLM by be@floss.social
2022-12-25T00:16:42Z
1 likes, 0 repeats
@kawaiipunk Hopefully this will be changing soon as Google, Apple, and Microsoft make passkeys usable on a large scale.Also: https://floss.social/@be/109563505906756964
(DIR) Post #AQwqN87E1gQBGNpbWK by be@floss.social
2022-12-24T21:51:57Z
0 likes, 0 repeats
Hopefully there will be free software solutions to accomplish the same thing. It would make sense to integrate into existing password management systems.
(DIR) Post #AQwqN9iU4doqEEGsEa by be@floss.social
2022-12-24T23:55:59Z
0 likes, 0 repeats
Indeed, Bitwarden is already working on passkey support: https://www.reddit.com/r/Bitwarden/comments/xsdt4r/comment/iqvl21k/?utm_source=reddit&utm_medium=web2x&context=3