[HN Gopher] Flaw has Microsoft Authenticator overwriting MFA acc...
___________________________________________________________________
Flaw has Microsoft Authenticator overwriting MFA accounts, locking
users out
Author : miles
Score : 422 points
Date : 2024-08-17 16:51 UTC (1 days ago)
(HTM) web link (www.csoonline.com)
(TXT) w3m dump (www.csoonline.com)
| RcouF1uZ4gsC wrote:
| Incidentally, this is why SMS MFA is so popular with users
| despite its security vulnerabilities.
|
| Generally, unless you are targeted by someone with a sim swap, it
| is good enough. Most people won't be targeted, but do have a good
| chance of something going wrong that makes them lose their MFA
| key.
| SoftTalker wrote:
| Yep. It's simple, and almost everyone understands it. Like
| passwords themselves. Also the reason more secure approaches
| such as YubiKeys have never taken off in the general public --
| they are just cumbersome and confusing.
| leftbehind wrote:
| We haven't had any issue getting all of our staff --
| nontechnical users alike -- on yubikeys. As part of education
| we skip the PKI portion and just point out that it is "like
| your physical house key. You plug it in and touch it to turn
| the key to unlock"
| SoftTalker wrote:
| Yes, and our staff uses ssh keys (generally but not always
| without issue) and a commercial MFA app. It's one thing to
| get this stuff used in a controlled environemnt where you
| have a help desk or administrators who can do a lot of the
| setup. You just hand the employee their YubiKey or smart
| card and say "use this."
|
| Trying to imagine your grandmother setting it up herself to
| be able to log in to her Facebook is another matter, and
| why these things have never worked for the general public.
| close04 wrote:
| You probably use certificates and a company PKI to manage
| them. No need to stress if one is lost or locked, just
| revoke and whip up a new certificate.
|
| At home Yubikey is probably synonymous to FIDO not PIV/PKI.
| No whipping up a new one if you lose it. You better have 3
| of them enrolled at any time, and have at least one stored
| off site.
| leftbehind wrote:
| We enroll them as standard fido/webauthn - I hate the
| other modes.
|
| I agree it requires significantly more work when you
| can't just call the locksmith for a new one -- IT -- if
| you lose one on your personal account you can only go get
| the spare key hidden under the doormat, a printed code in
| your safe, or lose the account.
| Groxx wrote:
| For business use, handing out yubikeys is completely
| reasonable - if they're lost or broken, _the company_ is
| the authority and they can (and do) just re-issue a new one
| and work goes on with only a temporary interruption. They
| 're easy to explain, fast to use, provide practical
| security, and are simple to recover in case of total
| failure.
|
| For personal use, that equation is _wildly_ different.
| Google isn 't going to let you attach a brand new key,
| you've just lost your account forever because it rained.
| JackSlateur wrote:
| Most importantly: yubikeys must be bought
| alistairSH wrote:
| And carried around.
| peanut-walrus wrote:
| Honestly, the only way I see forward is FIDO with dirt cheap
| NFC cards as keys. Need to log in to somewhere? Get the card
| from your wallet and touch it to your phone/laptop. It has to
| be cheap enough that for any company with paying customers it
| makes more sense to physically mail them a card if they don't
| already have one than to support any alternative auth methods.
|
| Most services won't even need a second layer of auth, if
| someone steals your wallet - do they really care about your
| reddit account?
| immibis wrote:
| I've tried enabling it two times. The first time my phone
| permanently broke immediately after enabling it. The second
| time it was stolen. Now I just rely on randomly generated
| passwords.
| SoftTalker wrote:
| "This is a small example of a big problem with usability and
| cybersecurity. This is what happens when apps are developed by
| engineers who don't have a strong knowledge of customers"
|
| This really rings true. Just think of all the nonsense you have
| to deal with in the name of "security." Mandatory password change
| intervals. Insane rules for constructing passwords. Completely
| undocumented password requirements that you just have to figure
| out by trial and error. Complicated error messages full of
| security jargon. "Secret Questions" that you can't remember the
| answers to. And on the other side of the coin, the security of
| these systems themselves is like a sieve. So many data breaches,
| information disclosures, they are in the news almost daily. I
| often wonder how they get away with it all.
| robertlagrant wrote:
| This isn't engineers doing that. It's CYA IT cyber policies.
| SahAssar wrote:
| Sure, but a lot of engineers aren't completely blameless.
| They should push back and explain why these are bad choices
| just like I would expect a building engineer to say to me
| that cardboard is not the ideal load bearing element for my
| skyscraper.
|
| If the company still pushes forward with bad choices its on
| them, but they should be clearly informed how and why those
| choices are bad.
| harimau777 wrote:
| Pushing back is a great way to lose your job or get past
| over for pay raises.
| SahAssar wrote:
| In bad orgs, yes. In good orgs you get appreciated for
| speaking up and communicating what will be future
| problems.
| recursive wrote:
| Ok and? Some people work in "bad" orgs.
| stoperaticless wrote:
| We all can choose to either just follow orders or try to
| influence the direction.
|
| Some caveats: 1. Nobody will be convinced to change the
| position on the first attempt, but seeds of knowledge can
| be planted in other peoples heads and some of those seeds
| will bear fruit later. 2. Being not nice, shuts down the
| passageway of ideas.
| Spooky23 wrote:
| Usually this nonsense is driven by regulatory inertia out
| of control of the org.
| SAI_Peregrinus wrote:
| It's usually driven by industry standards, not government
| regulations.
| sigseg1v wrote:
| Many large orgs, even if individual companies are doing
| "fine" (not gonna say perfect, but also generally
| competent) have a parent organization that manages all
| this audit and policy stuff. In my experience the parent
| org is nearly impossible to change from the direction of
| bottom-up. I can get someone to forward an inquiry to
| them but it takes forever and from their side it's going
| to look like "hey boss, so, 4 of the 5 subsidiary
| companies passed the security audit already 2 months ago
| and the 1 that didn't pass is trying to tell us to modify
| the policy" to which they'd say "how did nobody else
| mention this? sounds like they are being difficult. Can
| we just hurry them along? The audit is already overdue
| and we need all companies passing for this quarter" and
| the response you'll get back is essentially "deal with
| it"
| vips7L wrote:
| All in the name of audit check boxes.
| meroes wrote:
| So far https://studentaid.gov/ is the worst I've come across (I
| don't want to enter fake info^ and I can't duplicate my account
| to double check the requirements). From memory it was something
| like:
|
| 1) No words! 2) Can't reuse last 24 passwords 3) Excludes some
| special characters 4) 5 Security questions 5-10) Several other
| password requirements
|
| Are the security questions case sensitive? Who knows.
|
| ^ "I understand that I'll be required to certify that the
| information I provide to create an account is true and correct
| and that I'm the individual I claim to be. If I'm not the
| person I claim to be, I understand that I'm not authorized to
| proceed and that I should exit this form now. If I provide
| false or misleading information, I understand that I might be
| subject to a fine, prison time, or both."
| lostlogin wrote:
| > If I provide false or misleading information, I understand
| that I might be subject to a fine, prison time, or both
|
| Enter your password wrong and you're off to jail?
| thaumasiotes wrote:
| Might, not will.
| wizzwizz4 wrote:
| Hopefully "Fakename Q Notarealperson" won't get me
| arrested... Here's the password help message:
|
| ---
|
| Your password must be 8 to 30 characters in length and must
| contain at least one uppercase letter, one lowercase letter,
| and one number.
|
| Your password is case-sensitive.
|
| You can't use personal identifiers such as your first or last
| name, date of birth, or Social Security number in your
| password.
|
| ---
|
| Here are some error codes the API returns:
| ["NULL_USERNAME", "NULL_EMAIL", "PWD_ILLEGAL_CHARACTERS",
| "PWD_CONTAINS_SPACE", "NULL_CHALLENGE_QAS"]
|
| The UI doesn't expose the password error codes. It just says
| "You entered an invalid response. For more info, select the
| help (?) icon." (The NULL_USERNAME and NULL_EMAIL errors seem
| to be spurious in this context.)
| meroes wrote:
| Hmm I just made an account two days ago and it told me no
| words allowed in the own. The email link they sent me to
| sign up no longer works, so maybe they changed something?
| jagged-chisel wrote:
| So I had to guess that spaces weren't allowed?
| airtonix wrote:
| thank god it returns error codes.
|
| i hate apis that only return strings meant for UI display
| only.
| notpushkin wrote:
| If only the UI did display anything useful here too!
| mejthemage wrote:
| Reminds me when my daughter made her Roblox account. They
| had some rule "don't use your real name" but they never
| asked her for her real name, so couldn't validate. They
| would arbitrarily fail a lot of chosen usernames that were
| made up fake names.
|
| When she tried a variation of "Taylor Swift" it worked
| fine.
| globalise83 wrote:
| Stud3ntA1d24 here we come!
| tetrep wrote:
| > Just think of all the nonsense you have to deal with in the
| name of "security."
|
| Well, the good news is that everything you listed is known as a
| bad idea to both end users and people who understand security
| (which is, sadly, not most people who implement security
| policies).
|
| Using 4 or more dictionary words provides excellent password
| security and you can do the same for all of your security
| answers too. There's a variety of free and paid for password
| managers that solve the issue of trying to remember all your
| secrets (great for backing up 2FA secrets too).
|
| I'm not sure what you mean by "complicated error messages" but
| I assume it's errors that they expect the user to fix
| themselves, otherwise they could return a generic nonspecific
| error and a unique ID for you to provide when you contact
| support to get help. While it sucks to get jargon spammed, I
| feel like pretty standard human ineptitude at explaining an
| error rather than anything specific to security. I also think
| it's how many people feel about _any_ error message that
| contains computer jargon (PC LOAD LETTER!?!?).
|
| > I often wonder how they get away with it all.
|
| My thinking (and experience...) is that most organizations are
| failing at a lot of things at any given time, even if the
| business overall is successful. Security is just one of those
| things. I wouldn't be surprised at a small elite organization
| not following that trend, but any sufficiently large
| organization is going to have incompetent people doing
| incompetent things.
| Dylan16807 wrote:
| > Using 4 or more dictionary words provides excellent
| password security
|
| I would not call 44-48 bits "excellent". It works if there's
| a good password hash being used, but if someone left PBKDF on
| basic settings then a GPU might be able to do 50 million
| guesses per second, or for a plain old salted hash 50 billion
| guesses per second.
| norgie wrote:
| How does that math work?
| Dylan16807 wrote:
| The bits, I'm assuming a list of about 2k-4k words. The
| XKCD example is 2k, so 11 bits per word.
|
| The guesses per second, I looked up some hashcat
| benchmarks to get a rough range.
| tdiff wrote:
| Is there actually some "professional consensus" on password
| reset policies (in form of report or journal article or
| something similar)? If someone could share, I'd love to refer
| to it in my org to stop resetting passwords every n months.
| pdw wrote:
| There are the NIST guidelines on "memorized secrets"
| (passwords): https://pages.nist.gov/800-63-3/sp800-63b.html
| #5-authenticat...
|
| > Verifiers SHOULD NOT require memorized secrets to be
| changed arbitrarily (e.g., periodically).
|
| It has much to say on all kinds of other password nonsense:
|
| > Verifiers SHOULD permit subscriber-chosen memorized
| secrets at least 64 characters in length. All printing
| ASCII [RFC 20] characters as well as the space character
| SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC
| 10646] characters SHOULD be accepted as well.
|
| > Truncation of the secret SHALL NOT be performed.
|
| > Verifiers SHOULD permit claimants to use "paste"
| functionality when entering a memorized secret.
|
| > In order to assist the claimant in successfully entering
| a memorized secret, the verifier SHOULD offer an option to
| display the secret -- rather than a series of dots or
| asterisks -- until it is entered.
| tdiff wrote:
| Thanks!
| chgs wrote:
| Password resets should only be performed if it is suspected
| a password has been compromised.
|
| Complex passwords also should not be required
|
| NIST Special Publication 800-63B - Digital Identity
| Guidelines.
|
| https://www.netsec.news/summary-of-the-nist-password-
| recomme...
| tdiff wrote:
| Thanks!
| brookst wrote:
| > Completely undocumented password requirements that you just
| have to figure out by trial and error.
|
| My favorite is:
|
| 1. I go to a website I haven't used in a while but know I have
| an account on
|
| 2. I sign in with my email and what I'm sure is the right
| password for that site (algorithmically generated from site
| URL)
|
| 3. Password not valid
|
| 4. Ok, maybe this was an older version my my algorithm from way
| back
|
| 5. Password not valid
|
| 6. Fine, hit password reset
|
| 7. Get reset email and click it
|
| 8. Enter algorithmically generated password as new password
|
| 9. Error, can't have that special character
|
| 10. Fine, per my rules, replace that special character with
| next one
|
| 11. Sorry, can't reset password to your current password
|
| 12. Aaaaaargh.
| rightbyte wrote:
| This has bugged me a lot. Have I been gaslighted? Like, do
| sites lose my password? I can swear there have been like 10
| occasions in the last 20 years where I had to reset my
| password where I am pretty sure I knew it.
| 14 wrote:
| That's how I lost my Hotmail account.
| gerdesj wrote:
| They emailed you the password reset link?
| jasonjayr wrote:
| I'd bet that some sites had their DB leaked/hacked, and
| just marked all the current passwords invalid to force a
| reset. Hopefully, it wast just the hashes that were
| leaked...
| rightbyte wrote:
| Oh ye that is a good theory.
| dataflow wrote:
| Just a few hours ago a pretty well-known site was telling
| me my password was wrong. The same one I'd copy pasted and
| logged in with for years from my password manager,
| including as recently as within the past 24h. I tried their
| app and it logged me in just fine. This wasn't the first
| time I'd had such issues with the site. Why do these
| happen? No idea, they must just hate me.
| underwater wrote:
| I had this with Duolingo. Their login fails if the
| browser can't connect to recaptcha.net. But it just shows
| a generic "incorrect username/password" message.
| dataflow wrote:
| In my case I'm pretty darn sure it's something on their
| backend. Some race condition or lock or something that
| prevents login while stuff is being updated. The most
| frustrating part is the gaslighting, not the failure.
| Garlef wrote:
| Or it could be bad UX, displaying the same error message
| for two different errors.
|
| (Not saying that simplifying several errors into one
| message is always bad. I think it's reasonable to just
| return a 500 without any info for everything that's
| caused by an unexpected exception on the backend.)
| cbzbc wrote:
| Or a backend cache miss
| qingcharles wrote:
| Ah, this is a good debug. I wonder how many times this is
| silently happening on other sites?
| BlueTemplar wrote:
| Very common, the first thing I check when this kind of
| error pops up.
| rightbyte wrote:
| Well I am glad I am not alone. It is a strange feeling to
| know you are right and the computer saying no making you
| doubt yourself. Like, my first reaction is usually to
| write the password in clear text and copy pasting it to
| rule out keyboard issues ...
| Red_Leaves_Flyy wrote:
| You want a good one? Silent password truncation on account
| creation without a required relogin so on return my saved
| password doesn't work and I need to reset it.
| pylua wrote:
| This has nothing to do with knowledge of customers but
| really just a lack of caring.
| broknbottle wrote:
| ugh this one is by the worst and the only way to discover
| is knowing your password is 100% correct. I usually will
| drop the password length from 24 -> 12 to sort it out.
| EvanAnderson wrote:
| I had something similar happen with an HP Ethernet switch
| years ago. I was looking at a factory reset (and had no
| backup of the config... ugh...). I started re-entering the
| password with 1 fewer character on each attempt and finally
| got in. Maddening.
| AmericanChopper wrote:
| My bank used to do this too, but they were nice enough to
| silently truncate the password input on the login form as
| well, so you wouldn't ever notice unless you accidentally
| did something to reveal the truncation.
|
| It annoyed the hell out of me though when I was trying to
| put the required special character on the end of my too-
| long password after a required password change, and the
| only error message I got was that the special character was
| missing.
| Sylamore wrote:
| I had a bank that did this and it took me months to figure
| out WTH every time I tried to logon it failed, but when you
| reset the password it accepted longer length passwords
| while silently truncating them and getting you back into
| the account. I finally figured out their max password
| length was 8 characters anything longer would result in
| failures past the initial logon after a reset.
| AnonBanking wrote:
| Making a throwaway for this since my main is linked to my
| real identity.
|
| I worked for the online investment banking arm of one of
| the big Canadian banks a few years ago. Their passwords
| could only be eight characters long. At one point, I was
| tasked to do some work on their IVR system and discovered
| that your phone password was entered by pressing the
| corresponding letter key on your phone keypad. But they
| didn't say "2 for A, 22 for B, etc." which really confused
| me. How did it know the passwords were correct?
|
| And that's when I had a terrifying realization and tested
| it out on the website - they weren't magically converting
| your phone presses into ascii characters. No, they were
| converting your password into the corresponding numerics
| and saving that. Every single user password was a 6-8-digit
| number.
|
| They upgraded their whole login system around the time I
| left that company, including implementing 2FA. Though their
| 2FA was SMS-based rather than using an known authenticator
| app system, so it still wasn't perfect.
| noirbot wrote:
| I've absolutely had this happen with some US bank in the
| last 4 years. I can't remember which one, but they had me
| essentially type in my password over the phone in the
| same way, with * being the button for any non
| alphanumeric character.
| thoronton wrote:
| My password is "***********"
| qingcharles wrote:
| hunter2? that's a weird password
| _fat_santa wrote:
| Yep I ran into this with an Oracle OpenAir. Needed to reset
| my password so I fire up 1Password, generate a 50 char PW
| and set that. It works for the first login but when I
| logout and log back in it tells me I have an incorrect
| password. Go through a password reset a few more times
| before I finally realize that they are just taking the
| first 12 characters of my PW and using that, and not
| telling me that they are doing that.
| senectus1 wrote:
| >11. Sorry, can't reset password to your current password
|
| This sounds like an erronious error, ie the error message
| displayed is not the correct error message. There was
| definitely an error but the error was not that you tried the
| same password as your current.
|
| I hate erronious errors with a vengance, because they not
| only break user workflow but they break helpdesk work flow as
| well then it gets escellated to an engineer who quite often
| cant fix the actual erronious error but knows what the actual
| issue is and fixes that anyway.. meaning the erronious error
| never gets fixed and will mow hang around to chew up
| everyones time all over again.
|
| such a silly way to waste so much time, over and over.
| tbrownaw wrote:
| > _This sounds like an erronious error, ie the error
| message displayed is not the correct error message. There
| was definitely an error but the error was not that you
| tried the same password as your current._
|
| What exactly is this based on?
|
| I know I've seen that listed as a requirement (well,
| actually can't be one of the last 3) on some systems that
| have annoying password requirements.
| brookst wrote:
| I disagree. It's pretty normal to invalidate the current
| password on password reset, and to also not allow the same
| password to be reused.
| KMag wrote:
| I agree with you, but would phrase it differently.
|
| You want some indication that any leak of your current
| password actually hasn't been mitigated. A failure
| message that your password hasn't actually changed (due
| to being identical) is functionally the same as allowing
| the password change and giving a warning that the
| passwords were identical (modulo some back-end details
| like if the password salt has changed and if the password
| change date has been updated).
| usrusr wrote:
| Oh yes, you're not alone! That secret battle between "must
| have" character classes and "can't have" character classes is
| the bane of all mental password algorithms. Where do the
| "can't have" rules come from, anyways? Smells like not using
| hashing (and even then, those rules would still be weird).
| But it can get even better, when the site refuses to accept
| third level domain email addresses. Bonus points when it did,
| but at some point stopped.
| mschuster91 wrote:
| > Where do the "can't have" rules come from, anyways?
|
| For umlauts, restricting the amount of support calls from
| people abroad where the keyboard doesn't have them.
|
| For others, particularly when mainframes or other truly old
| legacy systems are involved, encoding issues somewhere
| along the transport chain.
| SAI_Peregrinus wrote:
| This is (part of) why we recommend password managers to
| people, not deterministic generation algorithms that still
| require keeping a list of logins with exceptions.
| AtlasBarfed wrote:
| Except the password manager becomes a central point of
| failure. If someone gets your phone, opens your password
| manager, boom they have keys to the castle. Because let's
| be honest, the password manager is on the phone, and
| there's no way keyloggers or screenshot backdoors get on
| there, and there's no way someone isn't looking over your
| shoulder with the latest iPhone Pixel Galaxy supercamera
| across the room.
|
| It is really hard to listen to any security recommendation
| from anyone in the industry when there are SO MANY bad
| password rules that restrict what actual good long
| passwords are. Length restrictions, restrictions on special
| characters or UTF-8, password rotation rules. These
| examples of bank logins at major banks absolutely blow my
| mind.
|
| https://xkcd.com/936/
|
| and is site-specific with some leetcode subs or a magic
| number suffix is about the strongest password for login and
| for long-term user security and usability.
|
| Maybe in another 15 years the security people at
| corporations will get their act together?
|
| Maybe sometime we'll get legislation with some actual teeth
| on login security?
| AshamedCaptain wrote:
| > Except the password manager becomes a central point of
| failure. If someone gets your phone, opens your password
| manager, boom they have keys to the castle. Because let's
| be honest, the password manager is on the phone, and
| there's no way keyloggers or screenshot backdoors get on
| there, and there's no way someone isn't looking over your
| shoulder with the latest iPhone Pixel Galaxy supercamera
| across the room.
|
| Password managers usually are either password-protected
| themselves or have biometrics, which suffice to deter
| random thieves. In fact, password managers are not going
| to show your password in the first place, they are going
| to silently fill in password prompts. The password cannot
| be clipboard-stolen, screen captured, or key logged. It
| is even more difficult to fish you (if the password
| manager doesn't detect the right program id/URL, it won't
| fill your password in -- unlike you).
|
| If someone is looking over your shoulder with a
| supercamera he can get one password. If you are using a
| password manager, that's it. If you were using "an
| algorithm" to derive your passwords it is now possible he
| can now easily guess ALL your passwords. Most people
| aren't that good remembering good "algorithms" anyway.
| Maybe he needs to capture two passwords to do so?
|
| Unless your algorithm is truly good, in which case you
| likely have to store it somewhere and that becomes your
| "password manager", which shares the same cons as a
| password manager itself. You are even at risk of your
| "algorithm" being guessed through a couple big password
| DB leaks, which are sadly ridiculous common, and this by
| itself puts you more at risk than worrying about
| supercameras.
|
| I however don't have anything good to say re password
| managers that sync passwords over a centralized service,
| or worse, do so without proven E2EE.
| anamexis wrote:
| Deterministic generation algorithms are also a central
| point of failure - if your key gets leaked, you're
| cooked.
| jlarocco wrote:
| "This is what happens when apps are developed by engineers who
| don't have a strong knowledge of customers"
|
| I'd replace "engineers" with "product owners". I'm sure the
| engineers at Microsoft know some of the stuff they're doing is
| braindead and are unable to do anything about it.
| surfingdino wrote:
| It's likely that the subject of overwriting accounts has been
| discussed with business more than once, but the business are
| so stupid that they do not see it as a problem, or think that
| if anything goes wrong (as it inevitably will) they will
| loose their pension. So nothing changes. All software
| companies have an expiry date and Microsoft is a couple of
| decades past its own.
| delecti wrote:
| My bank introduced "usernames" at some point, breaking login
| with email addresses, but didn't document this fact, or enforce
| that usernames not be _set_ to email addresses. For a few
| months, every time I went to login, I had to use the "find my
| account" function, and each time I would again set my username
| to my email address (and why wouldn't I, it had been my login
| credential for nearly a decade by that point). At no point did
| it ever enforce a restriction on the @ or . in the username,
| _until_ I went to login. It took me literal months to figure
| out and set it to something else.
|
| This is Capital One by the way. My account was originally ING
| Direct, then Capital One 360, before being fully incorporated
| into the rest of their nonsense, and I assume that's related to
| the username situation.
| EduardoBautista wrote:
| At a Mexican bank, Banregio, there was a character limit to
| the username on mobile but not on web. So I originally had a
| username that was accepted at registration but not when I
| tried to log in on my phone and it wouldn't allow me to input
| my entire username.
|
| Edit: The issue was with the password field, not the
| username.
| waterproof wrote:
| USAA had a similar issue for some time, but with the
| password field. One interface (web or mobile, I don't
| remember) would silently truncate the password. You
| couldn't even tell it was being truncated because it was
| all **!
| EduardoBautista wrote:
| Actually, looking at the credentials in 1Password for
| this bank, my issue was with the password field, so
| similar to USAA. Mobile had a 15 character limit.
| cuu508 wrote:
| Speaking of character limits, my bank, Swedbank Latvia,
| used to have a 16-character limit on passwords. After lots
| and lots and lots of pestering over various channels, they
| finally fixed it. But the "fix" was to add a maxlength
| attribute on an input field. So the field will accept the
| 16 first characters and ignore the rest (password fields
| are masked so the user cannot see the field is not
| accepting their input). So yes, I could now set my password
| to "SwedbankSecurityExperts", yay. But I could later log in
| with "SwedbankSecurityIncompetence" as well...
| vladvasiliu wrote:
| Well, 16 isn't so bad. Here, in France, BNP accounts must
| have exactly six digit passwords. They're also
| incompatible with password managers: you have to click
| the number on a visual number pad.
| Teever wrote:
| Surely that must afoul of some sort of French laws
| regarding accessibility?
|
| How are blind people supposed to use this UI?
| vladvasiliu wrote:
| To be honest, I'm neither a web dev/designer nor do I
| have bad sight, so I admit I don't really know how
| accessibility works. I expect this to be compatible with
| screen readers somehow, they even say they take this
| seriously. But from a quick glance at the Accessibility
| tab in Firefox, I see many complaints about "interactive
| elements must be labeled".
|
| Obviously, if the computer reads aloud the password as
| you type it, it's an absolute win for security, and I'm
| sure some PMs somewhere are quite content with a job well
| done.
|
| For the curious, here's the login page:
| https://mabanque.bnpparibas/fr/connexion
| sebastiennight wrote:
| La Banque Postale actually has a toggle button to make
| the computer read the code out loud as you type it.
|
| It's no big deal... you'd need to be blind to miss
| someone nearby listening in!
| sebastiennight wrote:
| Maybe it's a French law or something.
|
| I've had business and personal accounts with SG, La
| Banque Postale, BoursoBank and CIC and they all worked
| with those 6-character "visual number pad" logins.
| vladvasiliu wrote:
| I doubt it. N26, which is granted a "new bank", doesn't
| have that, even though it now has an actual French
| subsidiary, complete with French account numbers. My
| password with them is way above 6 characters, and
| contains numbers, letters and symbols. The login page has
| a regular password field.
|
| I think the others are just copycats. Someone must have
| come up with this first, and the others figured "yeah,
| that looks so secure, let's do that, too". If I had a
| penny for every CSO who justified some stupid "security"
| idea with "everybody does it, why shouldn't we?" I'd be
| so rich I wouldn't care about this crap anymore.
| CorrectHorseBat wrote:
| At least you can login. Alipay in China has (or had, it's
| been a while) a max length of about 16 characters for
| your full name, but when linking to your bank account it
| compares with the whole string, so any name longer than
| 16 characters will always return false.
| Apfel wrote:
| I've spent a lot of time in China over the years and most
| of their tech systems are built on the assumption that
| only Chinese folk will ever use it. In this case, the
| vast majority of Chinese people have a 2, 3 or 4
| character name ('why would you EVER need 16, silly Lao
| Wai ?')
|
| It's a bit of a 'Foreigner in China' stereotype to whine
| about how absurdly difficult it is to go to e.g. the bank
| or a hospital as a non-native because it happens so
| often.
| fragmede wrote:
| I had that problem with a major US bank. Copy and pasting
| or retyping the password worked, because doing so hit the
| client side JavaScript that truncated the password. If the
| password manager filled it out, it wouldn't work because it
| bypassed that JavaScript.
| MSFT_Edging wrote:
| At some point paypal had a character limit on the password,
| but wouldn't warn you when you set the password. So I set a
| long password, and was denied entry when using it, until i
| figured out the limit.
|
| Ex, i created the account with
| "mySuperAwesomeHunter2Password".
|
| But the limit was somewhere in the middle so I had to enter
| "MySuperAweso" to log in.
|
| They fixed it since then but I stopped using it except as a
| payment proxy. No money will ever be stored on paypal after
| that nonsense.
| dilawar wrote:
| This is nothing.
|
| My bank account (HDFC india) starts with 00. Dare send it to
| any accounting person who will copy paste it into an excel
| sheet and bang.. the prefix 00 is gone. Now they will
| complain that your account details are wrong. Took me a few
| months to figure out what was really going on.
| ctxc wrote:
| Not to mention the disabled copy pasting.
| ryoshu wrote:
| Had a similar thing happen when my small regional bank was
| rolled up through a couple M&A's and I have 00s and my
| regional account number remained. If I ever have to call
| them I have to explain the situation because when I start
| with 0s they don't believe me.
| toss1 wrote:
| Yup.
|
| Here in USA, Citizen's bank, iirc a subsidiary of Royal
| Bank Of Scotland, has had a bug for years that prevents me
| from changing my password. The only way to do it is via a
| series of tech support calls, despite the fact that they've
| had an open ticket for years. The source of the problem?
| Can't do it on an account where the email address (not the
| username) has a less-than-3-character-long name, as in
| "ab@mycomain.com". I own a small company and setup initials
| for easy-to-use email addresses, and found zero problems
| anywhere else in the world. But these clowns seem to need
| "abc@..." to function correctly.
|
| I've found bankers tend to not be the brightest bulbs in
| the box, and this is but one example.
| hypercube33 wrote:
| Up until a few years ago WF didn't process case in passwords.
| you could set your password to Hello and log in with hello
| bongodongobob wrote:
| > Mandatory password change intervals.
|
| Hasn't been best practice for a decade.
|
| > Insane rules for constructing passwords.
|
| There needs to be a minimum standard. Generally length is
| enough, but the special character type stuff is annoying.
|
| > Completely undocumented password requirements that you just
| have to figure out by trial and error.
|
| I haven't come across this.
|
| > Complicated error messages full of security jargon. "Secret
| Questions" that you can't remember the answers to.
|
| That's a you problem.
|
| Y'all complain about password breaches but want to use
| Mypassword69! for everything. Pick a lane.
| smohare wrote:
| I encounter some bogus undocumented password constraints
| probably half the time I create an account. Usually it is a
| maximal length requirement that is not mentioned in the error
| message.
|
| Don't defend these idiotic practices.
| bongodongobob wrote:
| I'm not. The only time I've seen a maximum length password
| was like 10 years ago on Dell's IDRAC I think? I just don't
| think the complaints being thrown out here are good
| arguments.
| pasquinelli wrote:
| i just had it happen day before yesterday to create an
| account for a service to do a background check for a new
| job. it rejected my password without saying why and i
| could only get past it by shortening it to 15 characters.
|
| and then the deeper question is, why do i need to create
| an account for this?
| bongodongobob wrote:
| Not defending the max length, that's stupid and probably
| some old AS400 thing that got built into the system, but
| the account is for auditing obviously.
| pasquinelli wrote:
| i don't see what's obvious. what is being audited? why is
| my email address needed when i'm giving them my id and
| ssn?
| tsimionescu wrote:
| Look at Microsoft's personal accounts (live.com or
| whatever they are calling it this week) - they still have
| this limit.
| pasquinelli wrote:
| password too long is such a stupid reason to reject a
| password
| troupo wrote:
| > but want to use Mypassword69! for everything
|
| That... That is literally what these "security practices"
| force you to use. You literally used an example of the
| ubiquitous "at least one uppercase letter, one special
| character, and one digit" requirement
| bongodongobob wrote:
| And I think that's fine. Unless you're going to ask for 24
| character passwords. Pick one.
| maratc wrote:
| correcthorsebatterystaple is 25 characters though.
| gpvos wrote:
| _> Hasn 't been best practice for a decade._
|
| This entire thread is about places that clearly have no clue
| about best practices.
|
| _> I haven 't come across this._
|
| You sweet summer child...
| racked wrote:
| Microsoft SSO/auth flows have that feel in general. Really
| feels like something hacked together. Some examples from the
| top off my mind:
|
| - In MS Authenticator, having to click on each subject rather
| than just showing the code immediately. If Google's
| Authenticator can show the code, why can't MS's?
|
| - Azure DevOps randomly redirecting to the login form and back
| while already logged in.
|
| - Azure DevOps randomly opening an authentication popup
| (presumably some SSO stuff) and closing it again
|
| - Clunky-looking Office365 account management flows
| Sylamore wrote:
| MS Authenticator will show the codes for TOTP if you go to
| the hamburger menu and select "show codes".
| racked wrote:
| Hah, you're right. Thanks!
| vladvasiliu wrote:
| I only very rarely use Azure DevOps, but that seems tame.
|
| If you have multiple accounts open in the same browser
| session, regular Azure portal won't remember which one you
| chose when opening in a new tab. If you got to a new tab by
| clicking a link, it will send you to select which account you
| want, then helpfully send you to the portal homepage,
| forgetting the initial URL.
|
| Well, that was before. Since a few days, they seem to have
| improved the experience, since they no longer ask which
| account I want to use, but helpfully pick the first on the
| list. No, they still don't remember which account was already
| being used when clicking the link. And no, switching accounts
| from the top-right icon doesn't keep you on your current page
| but sends you back to the portal homepage.
|
| Then there are other webapps which seem to implement their
| own login flow: they figure your session is expired, but
| don't allow you to switch accounts. The only way to use a
| different account from this flow is to sign out of the
| current one, which, of course, signs you out from everywhere.
| The solution is going to a different site, say myaccount,
| login with the second one, go back to the first site which
| now allows you to choose.
| Spooky23 wrote:
| Authenticator is buggy. When they made it easy to report
| vulnerabilities back in 2016-17, a colleague and I were able
| to pretty trivially compromise the product about 5 times
| during a PoC - and we weren't trying to do so!
|
| The worst one involved hitting cancel 8 times in a certain
| window, which you let you in. Lol
| hypeatei wrote:
| Yeah, DevOps is extremely bad with credential caching and
| refreshes. Sometimes after you elevate privileges, you'll see
| the privileged UI options and then they'll disappear on next
| page load.
| blackeyeblitzar wrote:
| A few years ago Yahoo forced a password reset on old accounts.
| People had to remember the answer to secret questions from many
| years back, instead of the password they could enter correctly.
| And if they couldn't guess the secret question, they were
| simply locked out of their email account. Utter insanity, but
| these types of quirks are everywhere still. Banks have strange
| password rules very often. And they may support only SMS 2FA.
| United Airlines still forces users to enter secret questions
| and answers. Medium has a bizarre "magic link" workflow.
| Etcetera.
| thaumasiotes wrote:
| What's especially terrible about this is that secret
| questions only weaken the security of your account, so
| someone doing the right thing will have provided a random
| answer unrelated to their life.
|
| Years ago, I went through this process with Blizzard:
|
| 1. Blizzard started deactivating my World of Warcraft account
| on the grounds that I hadn't paid my subscription.
|
| 2. I would log in and pay for a subscription, reenabling the
| account.
|
| 3. (Steps 1-2 repeated several times. Blizzard never provided
| any explanation beyond the fact that, in their opinion, my
| payment was invalid, which it wasn't.)
|
| 4. After several rounds, Blizzard disabled the account
| completely, requiring me to contact customer support.
|
| 5. Customer support, for the first time, informed me that the
| reason my payment was viewed as invalid was that the
| preferred payment card on my account was set to a different
| card. The card I was actually using was also listed on my
| account, but it wasn't the preferred card, which made it
| invalid.
|
| 6. Since my account was disabled, I didn't have the option of
| paying with my preferred card. I had to answer my secret
| question.
|
| 7. Since I am not stupid, my secret question didn't have an
| answer. It was a long string of random characters which I
| didn't know. But customer service happily accepted my oral
| answer of "it's gibberish", defeating the purpose of the
| secret question.
|
| So I guess the lesson here is that the correct way to answer
| a secret question is that you need to provide an answer
| which...
|
| (1) Looks like a real answer when customer service looks at
| it, so that they have a better chance of rejecting someone
| who doesn't know the answer; but also
|
| (2) Doesn't belong to the class of answers that would be easy
| for someone to guess, such as a car model when they ask you
| for the model of your first car.
|
| These requirements are incompatible with each other. I don't
| know what secret questions are supposed to be doing. And I
| have to note that my assumption that there was no reason for
| anyone, including myself, to know the answer to my secret
| question would have been completely correct if Blizzard
| hadn't made the decision that using a payment card that was
| already registered to my Blizzard account was a sign of
| fraud.
| gpvos wrote:
| I generate five random words and store them in the comment
| field of my password manager. It ensures they are at least
| pronounceable when asked over the phone.
| thaumasiotes wrote:
| Have you tried providing five different random words and
| seeing whether the person on the other end will take
| them?
| gpvos wrote:
| The chance to do so hasn't occurred yet. Might be
| interesting to try, but it doesn't happen often enough
| and my priorities tend to be different when it does.
|
| I thought up this schema after the last and only time I
| needed to use a secret question over the phone, when I
| read 32 ASCII characters to an Apple employee (which
| didn't work, but then they enabled a skip button for me
| to use).
| amlib wrote:
| You've probably just solved a mystery with my Minecraft
| account. A good while ago it got "hacked" while having a
| strong password (random and unique), plus all security
| answers were filled with gibberish, which I diligently kept
| backed up somewhere. At that time I also hadn't logged in
| for over 2 or more years. Eventually I got it back through
| a proof of purchase process, but I couldn't ever figure out
| why it was taken over. Since no other account got
| compromised, I could reasonably assume my computer wasn't
| either.
|
| So I guess in the end their recovery process was
| susceptible to some good old-fashioned social engineering.
| surfingdino wrote:
| Don't forget "business objectives" i.e. making it work, but be
| incompatible with other authenticators and claim that other
| authenticators are inferior. Classic Microsoft FUD combined
| with low quality of product.
| ahoka wrote:
| "Mandatory password change intervals"
|
| This is against all current commonly applied security
| recommendations (NIST, OWASP).
| kayodelycaon wrote:
| And the rest of the world hasn't gotten the memo. Rotating
| passwords was best practice for so long that every standard
| required it. Those haven't been updated. Until it's
| considered to be actively harmful and you fail audits for it,
| it won't die. :(
| Tostino wrote:
| I had to push back at my company after getting acquired
| multiple times that no, I am not implementing your much
| worse password policies that NIST has argued against for
| years.
|
| All because some 15 year old security document said that's
| what all their products adhere to.
| sgbeal wrote:
| > So many data breaches, information disclosures, they are in
| the news almost daily.
|
| #YesterdayILearned the highly-appropriate phrase "breach
| fatigue."
| mejthemage wrote:
| Those rules sound more like they were developed by admins that
| don't know proper security and so they add complicated rules to
| feel like they are improving security.
|
| The only password rule that needs to exist is "use something
| you've never used before". That really does make it difficult
| for most users though.
| laserbeam wrote:
| My bank password is 5 digits + MFA. I am FORCED to have it 5
| digits. I can't use any other type of passwords with them.
| 8organicbits wrote:
| That has some nice attributes though. Five digits should be
| quite easy to memorize, avoiding written down passwords. Most
| phone PINS are four digits, so you avoid phone PIN reuse.
| Realistically, the second factor is providing the bulk of the
| security. If that's a typical six digit TOTP, and they
| validate the PIN and TOTP together then an attacker has a one
| in one hundred billion chance of guessing correctly (10^5 +
| 10^6). Add in rate limiting by account and IP address,
| account locking, and other tools and that's extremely secure.
|
| You COULD have a longer password, but the extra entropy is
| probably excessive. It probably increases the chance of
| password reuse problems, so pragmatically it may be worse.
|
| I wouldn't recommend this approach in general, however.
| DaSHacka wrote:
| USAA?
|
| If not, do they also do the weird Symantic codes that're
| literally vanilla TOTP under the hood[0] but wants you to be
| locked in to a proprietary app instead?
|
| [0] https://locima.com/2019/06/01/replacing-symantec-vip-
| with-a-...
| buro9 wrote:
| Yesterday I had a good example of this.
|
| Website: "Please choose a complex password of at least 8
| characters including special characters and numbers"
|
| Me: Fires up the password manager, generates a 128 character
| random password, feels smug.
|
| Website on next visit: "Please enter the characters in the 31,
| 98, 102 position from your password"
|
| Me: WTAF
|
| Context: Mortgage website in the UK
|
| Edit: It's now dawned on me that they're storing this plain
| text so that they can do this... or at least encrypting rather
| than hashing, meaning that they can always decrypt the
| password.
| thedanbob wrote:
| Maybe we need a corollary to "don't roll your own crypto":
| "don't roll your own password scheme".
| lazide wrote:
| So what is the 'standard' then that doesn't suck?
| Morpholemew wrote:
| https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
|
| Basically, 8 characters or more, but prevent the user
| from picking a password that appears on any of the leaked
| password lists. Store in pbkdf2 or better; use argon2id
| per https://cheatsheetseries.owasp.org/cheatsheets/Passwo
| rd_Stor...
|
| That's it. Simple. No mandatory symbols. No mandatory
| changes after a period of time. A password strength
| estimation meter is optional.
|
| If it needs to be more secure, I might require more
| minimum characters, but no other restrictions.
| lazide wrote:
| Ah, yet another standard. How many years do you think
| before it's obsolete?
|
| Also, the 'no previously leaked passwords' are gonna piss
| off a _lot_ of customers.
| smrq wrote:
| I think you just picked up the goalposts and brought them
| home with you. Why ask for a standard in the first place?
| lazide wrote:
| Because this is what, the third NIST standard on it?
| kevin_thibedeau wrote:
| 8 chars is not sufficient. The Hive strength estimates
| switched to Bcrypt this year but there are still weak
| systems out there and you should set passwords assuming
| MD5 which currently demands at least 12 chars for typical
| users.
| compootr wrote:
| What's your opinion on zxcvbn[0]?
|
| It dynamically analyzes a password's cracking time,
| score, and gives feedback based on the password. imo it's
| a pretty good ux if used right
|
| [0]: https://github.com/dropbox/zxcvbn
| lynndotpy wrote:
| Misused, zxcvbn offers its own security issues.
|
| First, it's not either-or. You can match against zxcvbn
| strength _and_ some passwordlist.
|
| Second, think of the output of zxcvbn as a very weak hash
| with a low collision rate. E.g. 'correct-battery-horse-
| staple' maps to an estimated 213811968952000000000
| guesses. In addition to being potentially algorithmically
| reversible, attackers can simply perform an offline
| attack _against the value 213811968952000000000_. So,
| this metric should never be exposed (e.g. in log files,
| on screen, etc.)
|
| Third, having the estimated entropy helps a lot when
| password cracking. If you have the password hash digest
| _and_ the zxcvbn metrics, then it makes the cracker 's
| job much easier by reducing the search space. (Think,
| going from checking each molecule of an apple to checking
| only each molecule on the peel of an apple.)
|
| Further, it's not perfect. The zxcvbn library I used
| suggests 'correct-battery-horse-staple' is a very strong
| password!
| maratc wrote:
| It indeed is. The _bad_ password you 're thinking of is
| "correct-horse-battery-staple".
| xyst wrote:
| Better yet, don't use passwords at all. I'm personally fond
| of the magic link sent to email method of authN
| monooso wrote:
| I'm the opposite. I deliberately avoid checking my email
| outside of predefined times, and hate it when a website
| assumes that everyone is happily living in their inbox.
| Seanambers wrote:
| Ran into the same thing with Santander Bank in Poland. I have
| been online since the 90s never seen that password scheme
| ever anyplace else. It's like who comes up with this insane
| shit.
| deepsquirrelnet wrote:
| Until recently, treasurydirect made you login using your
| mouse by pressing a keyboard laid out on a screen. This is a
| government website in the US for buying treasury bonds.
|
| I didn't know this when I made my account and fired up
| keepass per usual to create a massive random password. It
| takes me nearly 5 minutes of carefully pressing buttons on
| the screen and trying to keep my location in the password
| (you can't see what you entered) just to get in.
| salil999 wrote:
| I got around this by just editing the HTML. Worked like a
| charm
| ericd wrote:
| Yeah, you could just delete "readonly" from the input,
| then try the password manager autofill again. Thankfully
| no longer necessary.
| Someone1234 wrote:
| Also demonstrates how pointless that theater was.
|
| A lot of GOOD malware don't "sniff keys" because that
| gives them random stream of garbage that has little
| value. No human is going to sit there and hand-decipher
| that garbage. Instead, they either inject browser
| extensions, intercept at the Win32 layer, or intercept
| the HTTP traffic upstream of the browser giving them the
| raw form-fields with URL which can be packaged and sold.
|
| So all TreasuryDirect was doing, when they were doing
| this, was inconveniencing real people while the malware
| didn't even notice. Utterly insane. Glad someone had them
| quit it.
| Intralexical wrote:
| These days I'd be scared that fails some biometric
| spyware and gets your entire account instantly
| banned+deleted with no recourse.
| qingcharles wrote:
| I found some sites recently that have big ASCII banners
| in the console log when you open devtools telling you to
| stop being naughty.
| mwexler wrote:
| Both of these reflect a security approach from early 2010s
| when keyboard sniffing was the worry-of-the-week. The idea
| was that even with all keystrokes intercepted, the full pw
| was never sent via keypresses.
|
| One of my pals around that time turned on accessibility
| features like onscreen keyboards and diligently never typed
| a password. In a shell, a site, whatever.
|
| It's unfortunate that these sites (Treasury and UK
| mortgage) were built around this time, but also shows that
| with all the progress with tech, security is still glacial
| in places. And like all tech, we get stuck with trends for
| a while (like skeumorphism in ux design).
| PKop wrote:
| You could open dev tools and modify the input then pasting
| worked.
| christophilus wrote:
| Incidentally, you could find the hidden input in developer
| tools, and just type your password there like a normal
| person. But yeah. That site is so bad that I never bought
| more ibonds even though they were a great deal.
| Intralexical wrote:
| That's kinda hilarious though.
|
| Also a nice example of when security through obscurity is
| harmful. "If we show a _picture_ of a keyboard instead of
| taking text input, that 'll stop the hackers!"
| kevin_nisbet wrote:
| That's a good one. One of my personal favorites was a device
| that truncated long passwords in the set password function.
| Didn't take too long to figure out what happened but I was
| worried for a moment I wouldn't be able to unbrick that
| device.
| xyst wrote:
| > "Please enter the characters in the 31, 98, 102
| position..."
|
| I think this is a "the password game" requirement.
| 8gt786gv87g wrote:
| engineers typically do not understand people very well as a
| baseline. i think engineering attracts the type of people who
| struggle with social behavior. you can't make it work unless
| you filter those engineers out and companies do not hire
| engineers to understand the customer anyways.
|
| companies hire data science to ascertain human behavior, but
| this is not understanding the customer. if you want to improve
| your products and actually understand the customer then start
| giving your customer service or customer experience departments
| a financial boost instead of treating them like the bottom
| feeders of the entire company.
|
| > I often wonder how they get away with it all.
|
| unregulated industry + no union. tech workers practically beg
| to be exploited.
| indymike wrote:
| Complexity is the enemy of both security and usability. I had a
| day last week where I had to authenticate 28 times to different
| services due to forced re-auths. No security benefit. None. It
| cost me 2-3 hours of my life. The IT team needs to realize
| their security is costing our company 4 _102_ avg_hourly_pay*26
| for this. That's a lot of money for zero benefit.
| mirekrusin wrote:
| Something tells me those kind of mistakes are not done "by
| engineers" / "by developers" - who rarely have any saying at
| all and if they do they are ignored more often than not - more
| likely that's incompetent pseudo-architects and/or product
| owners/managers.
| bgro wrote:
| I've been reporting major problems nonstop for the past like 20
| years. It usually takes me less than 5 minutes when I first
| learn of some new security feature to find a problem with it.
| Most of that 5 minutes is physically writing my email to
| security highlighting major oversights. I don't know how these
| people get jobs and gatekeep me out of both hiring or my
| scientifically accurate and backed feedback for not passing the
| buzzfeed security quizzes for certifications. I'm otherwise a
| full stack software engineer.
|
| Even my simple requests like not auto flagging emails from
| confirmed and fully validated Microsoft services gets denied
| because it's "too hard" so everything except internal users and
| random whitelisted services like github and azure AWS is
| instead flagged as suspicious, causing alertness fatigue.
|
| I've reported major logic problems to many major companies and
| usually the only response I get is an indirect followup email
| through HR or some other non technical people sent to the
| entire distribution list as a followup saying how it's
| technically better than what was there before (it's
| scientifically and mathematically not) and that we just need to
| do it.
|
| I never get recognized or win bug bounties because there's
| always some loophole where I didn't actually help them and they
| just magically fixed the long standing issue by coincidence
| after I reported it.
|
| Most recently, I discovered a "feature" with Microsoft OAuth
| that has a severe flaw and could essentially shut down all MS
| OAuth functionality, and all consequences branching from that.
| Still no response.
|
| I'm not even trying to find these. They just keep getting in my
| way of trying to do work.
|
| For example, I have to authenticate up to FIVE times per
| authentication, per authentication --- Auth syncing can be slow
| leading to multiple auth requests that would otherwise only
| need a single one to propegate.
|
| 5 authentications * 5 programs needing individual (slow-sync)
| auth = 25 authentications I have to already pass to be able to
| start standup or pass in order to un-hard-freeze my live demo
| to potentially hundreds of engineers.
|
| Imagine driving your car, and the steering wheel locks when it
| loses internet connection (like in a tunnel or just randomly)
| or because the re-auth period has passed. Security devs don't
| want to full stop the car because they'll get yelled at, so
| just lock steering so they can't steer home.
|
| Well now if you're on a highway, that's pretty stressful and
| dangerous. But it's like they are just salting the wound by
| adding a series of glitchy minigames where you have to first
| read all the spammy popup dialogs, and then solve a Baldi's
| Basics math puzzle, and then rotate a ball to not be upside
| down (?) and then manually match a missile launch code.
| danparsonson wrote:
| My favourite recent example was an app that made me create an
| account, and allowed me to provide a 24 character password,
| which then sent me a validation email requiring a login on
| their website, where a 20 character password limit was in
| force.
| jollofricepeas wrote:
| I actually blame the auditors.
|
| In the case of password construction and complexity, we've
| learned that rotation and complexity leads to worse password
| practices.
|
| https://pages.nist.gov/800-63-3/sp800-63b.html
|
| However many large companies do not adhere to the latest NIST
| guidance (which is many years old by now).
|
| This is why password complexity and rotation is still so nuts.
| worble wrote:
| This boggles my brain on so many levels - are you telling me
| Microsoft Authenticator only stores the entry based on label? It
| doesn't generate an internal key or anything? And then they claim
| that the issue is websites not putting the issuer in the label,
| but in the issuer field, where it belongs?
|
| Is no-one at Microsoft actually using their own Authenticator?
| Unless I'm missing something, this would make it nearly unusable
| for almost all applications - as soon as you've used your email
| for one site you wouldn't be able to add it for any others?
| SoftTalker wrote:
| From the article: "Microsoft hasn't bothered to fix it because
| Microsoft Authenticator is a free product and therefore doesn't
| generate revenue."
| lostlogin wrote:
| It's actually worse than that. Given the opportunity to
| escape, I'm sure many would pay to to allowed to do so.
|
| Entering multi factor hell just to get into Teams is
| something I'd happily pay to avoid.
| tialaramex wrote:
| Assuming you use Microsoft Entra ("Azure Active Directory"
| as was), get your employer to enable the "preview" support
| for Security Keys. Why is it off by default? Well it's
| actually secure, and it would never do to provide a feature
| out of the box that actually works without lots of fiddling
| about, this is Microsoft, the consultant's friend.
|
| These seem to be relatively current instructions:
| https://learn.microsoft.com/en-
| us/entra/identity/authenticat...
|
| Having found a friendly sysadmin to do this, ask them to
| specifically _not_ "Enforce key restrictions" which is
| theory could let your empoloyer require employees to use a
| specific issued authenticator credential - are they going
| to buy every employee an authenticator from a named brand?
| No? Then this must not be switched on, easy.
|
| Once this feature is enabled for you (you may be able to
| get them to switch it on for the whole org, or maybe for IT
| or whatever department you work in) you should be able to
| enrol a new Security Key the same way you'd add other MFA.
|
| So why go to all this bother? Because you can buy a
| Security Key that works how you want, a physical piece of
| hardware you own and can re-use - if you buy say the Yubico
| Security Key 2 in USB A, that goes in your USB A port on
| the laptop or dock and it just stays there. Its job is to
| be "Something you have" and the "Something you know" will
| be a PIN of your choosing (it literally doesn't leave your
| device, so corporate can't decide it should be the Password
| Game on steroids)
|
| No need for a phone or other unrelated device, no opening
| fiddly apps, no transcribing codes, you type your PIN and
| touch the sensor. If a PIN is too much, some pricier
| options take fingerprints, so then you just touch the
| sensor (with the correct finger)
| technion wrote:
| Security keys don't work with android phones when you
| want to logon to m365 email. This is a showstopper for a
| lot of people.
| fragmede wrote:
| I moved the usb-c yubikey in my laptop to my Android
| phone and was able to login to my m365
| calendar/mail/teams there, so it does work, as long as IT
| supports it.
| lostlogin wrote:
| Thank you.
| userbinator wrote:
| Or enable the option to use any standard TOTP
| authenticator.
| franga2000 wrote:
| > goes in your USB A port on the laptop or dock and it
| just stays there
|
| If it's always there, then why isn't it just a file on
| the disk? Why should I need to buy a new piece of
| hardware and permanently sacrifice one of my USB ports.
| Client certs have been the "something you own" for
| decades and the main problem with them was that using
| them didn't involve any JavaScript, which is blasphemy in
| modern web dev and so they were killed (with the help of
| EU bureaucrats). And now that basically every computer
| has a TPM, you can even satisfy the "not extractable"
| requirement, which was the only actual advantage of a
| yubikey.
| fragmede wrote:
| That's what passkeys are.
| vel0city wrote:
| > why isn't it just a file on the disk?
|
| Because if done properly it can't be trivially cloned.
| mihaaly wrote:
| Hermione Granger would say: What an idiot!
|
| Only almost all and increasing number of their revenue
| producing product depends on this being reliable, or at least
| have no bad reputation being unreliable. As the reputation is
| what many corporate ballonheads only care about. Still, hurt
| that too in their incompetent bencounter singlemindedness.
| marcosdumay wrote:
| > Is no-one at Microsoft actually using their own
| Authenticator?
|
| At most, I'd expect people to only use it for work, where
| Microsoft is the only issuer.
|
| I also expect lots and lots of people to not use it.
| tzs wrote:
| > Unless I'm missing something, this would make it nearly
| unusable for almost all applications - as soon as you've used
| your email for one site you wouldn't be able to add it for any
| others?
|
| Yeah, something is not making sense here. I've got multiple
| accounts with the same email and just compared the codes from
| Authenticator, which is my backup TOTP app, with the correct
| codes and Authenticator agreed.
|
| I did find a UI problem that could lead to a user getting the
| wrong code. When the first few accounts are on the screen and
| it is time to refresh the codes the ones on screen refresh
| every 30 seconds.
|
| The ones offscreen do not. When I scroll to bring offscreen
| codes into view they show an older code. In one case the code
| that scrolled in was 4 codes behind the correct code.
| Mathnerd314 wrote:
| I've scanned two Facebook codes in sequence, the second
| Facebook code overwrote the first. Maybe that is the issue.
| alienchow wrote:
| Along the same grain, Google, the search powerhouse, releases
| Google Authenticator with no search bar in the Android version.
| And continues to wilfully not include one despite multiple
| feature requests.
|
| Yet there's a search bar in the iOS version. Just why?
|
| I'm willing to bet that in that gigantic Piper repo, there's
| already a local search library that they could just drop in in
| a single CL. But that's not LLM.
| whartung wrote:
| When I bought a new phone and moved all my stuff over from a
| backup of my original phone, apparently the Google
| Authenticator doesn't back something up.
|
| When I launched GA all of my 2FA data was gone.
|
| Thankfully I had my backup codes. And I could also still use
| the old one on the old phone. But the nightmare potential is
| quite high.
| Cyykratahk wrote:
| For a long time GA had no method to back up or extract the
| data. It also excluded itself from ADB backups. One had to
| root their phone to extract the data.
| remolueoend wrote:
| Aegis [1] seems to be a great alternative, at least on
| Android. Besides a search bar, it allows you to backup or
| export all your entries in an ecrypted vault. You can also
| include them in the Android cloud backups.
|
| [1] https://github.com/beemdevelopment/Aegis
| ClassyJacket wrote:
| Google authenticator is absolutely horrible. Until recently
| there was just no way to back it up, at all. If you were
| getting rid of your phone, well, tough shit.
| alienchow wrote:
| You just need to export it using QR codes. My keys were
| paginated into 11 QR codes when transferring devices.
|
| They now have cloud sync, which I don't really think is a
| good idea. But it solves your problem of migrating
| devices. However I've already moved on to Aegis, because
| I'm done fling scrolling through my Mahabharata of TOTPs
| to find the correct account.
| josteink wrote:
| > apparently the Google Authenticator doesn't back
| something up.
|
| This is widely known and IMO a very good argument to use a
| different TOTP/2FA app than Google Authenticator. There's
| plenty out.
|
| Personally I use Bitwarden pro, which lets you add TOTP
| keys directly to the account you're using it for,
| integrating it into the login-process. Very smooth.
|
| And it sync/backs up across all my devices.
| felipelemos wrote:
| One could say you shouldn't store the 2FA along with your
| password.
| smitelli wrote:
| Not the parent, but I look at it this way...
|
| Something I have: the database file.
|
| Something I know: the master password to that file.
|
| I figure the sprit of the advice is preserved for the
| most part. (Doesn't keep me awake at night, anyway.)
| numpad0 wrote:
| But 2FA on a phone had been awkwardly okay. Could be
| because it's just too silly that adversaries can't take
| it seriously, but it's been okay.
| beng-nl wrote:
| Yes, I was shocked by this too moving phones many years
| ago. I'm surprised things haven't improved. I switched to
| 1Password for this reason; it backs up the 2FA seeds, and I
| only use it for storing the 2FA seeds, and when I need to
| use it, I copy-paste the numbers, and I don't use it for
| passwords, retaining most of the 2FA factor separation.
| Switching phones worked (after entering my login, pw, and
| long master key in the new 1P install).
|
| (My passwords are copy pasted from somewhere else, so
| admittedly not 2 different factors, but at least 2
| independent ones.)
|
| So in short, even though I probably use 1% of the 1P
| functionality, I can recommend 1P for replacing GA.
| martinsnow wrote:
| Googlers don't use Android
| mihaaly wrote:
| They likely use for one account only, their MS account at work,
| where it is forced, but not elsewhere because they know it
| suck.
| magicalhippo wrote:
| I've been using Microsoft's one for my work accounts because,
| well, we're elbow deep into Office365 so why not.
|
| I've never gotten that dialog, and have not had any issues with
| the accounts I've added. Since they're my work accounts, 99% of
| them share my work email as account name.
|
| So does that mean I've just been lucky, in that the sites I've
| signed with have provided a sufficiently unique label? I feel I
| didn't fully get what the issue is.
| muststopmyths wrote:
| Same. 3 personal accounts use the same email address. Two of
| them are FAANG and it all seems to fine (for going on a decade)
| prng2021 wrote:
| Seems like the bug is specific to the iOS app when scanning QR
| codes.
| magicalhippo wrote:
| Ah, using Android so I guess that's why. Weird though, given
| that Microsoft claims it's an intentional feature. Why
| wouldn't a feature like that be implemented in both
| platforms?
|
| Even though it might be a dumb feature as seen from the users
| POV, it seems sufficiently special that it's something that I
| would assume one would want to have feature parity on.
| mattmaroon wrote:
| I've been using MS Authenticator for a long time, mainly on
| iOS and I've never experienced this bug.
| trustinmenowpls wrote:
| That's me (iOS scan the QR code) and I've never encountered
| the bug either.
| mihaaly wrote:
| I wanted to use a hardware key as 2FA but naturelly not all
| systems support it or not well enough (maximum of 1 key to
| register, are you f serious!!?), then had to choose something
| beacuse tick tock, this is not something that brings in bread
| to the family just a f nuisance to dig myself into what is out
| there and how good they are, just to be able to log in, what
| the hell, MS was mandated in a previous place, lets go for it,
| I wasted too much time already by trying to use my online
| accounts, not using it for meaningful work while playing with
| this sh around.
|
| The whole online identification is seriously unreliable and
| full of big wholes, and much bigger risks, yet we build our
| whole life on top of it. Still using passwords after decades
| (Yes. Decades!) of serious harm caused by insecurities with it,
| and trying to patch with plasters or just some paint?! We are
| so damn stupid, almost no week goes by without some online
| system gives away serious bits or complete set of personal
| details of the masses easy to abuse and we just sit in the
| middle of the burning room like the coffee sipping doggy with
| that stupid hat and smile in the meme 'this is fine, this is
| fine'. Lets choose some longer than 8 character password,
| different for all system just to be safe, we are going to be
| fine, we are going to be fine.
| breadwinner wrote:
| This happened to me when I updated MS Authenticator after not
| updating it for a while. It wiped out all data, and I got locked
| out of all accounts. MS Authenticator is not a carefully written
| product.
| napsterbr wrote:
| Something similar happened to me about a year ago when the Google
| Authenticator app automatically updated to a new version. I lost
| all my accounts in the update process. Definitely learned a few
| lessons there.
| xandrius wrote:
| This nightmare is why I always backup MFA QR codes and use
| those to add them to an open source app which let's me backup
| the data elsewhere too.
|
| Sorry to hear that!
| SoftTalker wrote:
| Yep, any time I use an authenticator with an account I
| generate "backup codes" and keep them in my password manager.
| This saved me when I got a new phone and for some reason my
| Google Authenticator did not transfer to the new phone
| properly.
| lostlogin wrote:
| > Google Authenticator did not transfer to the new phone
| properly.
|
| This seems to be my normal experience with a new phone for
| MFA apps. I'm doing something wrong. That and setting up
| email are so dreaded that I hold off updating.
| knallfrosch wrote:
| Switching from Android to iOS for a phone, I found that
| Microsoft Authenticator officially doesn't support this.
| You can't backup, you can't transfer. Everything is lost,
| please start anew.
| mook wrote:
| I think they finally managed that last year, but only by
| syncing to your Google account:
| https://security.googleblog.com/2023/04/google-
| authenticator...
|
| ... Yeah I'm not sure that's very good for a 2FA app
| either. Offline backups feel better for me. I use something
| else for 2FA.
| alchemist1e9 wrote:
| I'd be interested to hear details on that. I've been thinking
| of printing QR codes as backups.
| xandrius wrote:
| For crucial stuff, I take photos first and store them on my
| own nextcloud (with its own replication) and also copy them
| on a physical device. And my Android authenticator (andOTP)
| allows me to export encrypted backups (with password saved
| on password manager, ofc), which I then save on Dropbox.
|
| If it's a MFA I actually don't care much about (security-
| wise), I simply save the token on bitwarden so it
| autocompletes for me (it defeats most of the main point of
| "multi" FA but I don't care about it to begin with).
|
| Printing is not a bad idea, especially for backup, if you
| put them in a fire-proof safe or something. Make sure to
| give each a name to know which service they are for.
| qingcharles wrote:
| I put my TOTPs in Google and Microsoft authenticators for
| double-redundancy. On two separate handsets. Then I have
| someone else I trust implicitly scan the QRs too and have
| them on _their_ phone.
|
| I've been burned too many times.
| issafram wrote:
| ymmv, but I've never had this issue.
| chaz6 wrote:
| When asked to set up TOTP, the first thing I do is scan the QR
| code with a QR code reader, and save the secret into my password
| manager, before adding it to my authenticator app.
| gleenn wrote:
| Does this actually work? I thought most TOTP codes were single
| use. Have you actually tried re-using them?
| Rychard wrote:
| The initial QR code isn't a TOTP code, it contains the secret
| used to generate the TOTP codes.
| userbinator wrote:
| The QR code contains the TOTP key, which is the seed that's
| used to generate the codes, which form a time-based
| pseudorandom sequence.
| smitelli wrote:
| You can absolutely scan the QR code with multiple
| authenticator apps (or copy paste the seed value into them)
| and they will all produce the same codes in the same order
| going forward.
| sleepycatgirl wrote:
| Oh, that's actually really nice, I should start doing the same
| thing myself
| esafak wrote:
| 1password lets you see it after you've saved it too.
| n8henrie wrote:
| As does Bitwarden (just "edit" and it is revealed)
| Nextgrid wrote:
| However, this does reduce the separation of factors, if that
| password manager is the same one containing your actual
| password.
|
| Depending on your threat model this may be an issue.
| NotACracker wrote:
| I've just made a test: multiple accounts using the same
| account/email and there is no conflict.
|
| I even have a matching icon of the issuer for each entry; the
| issuer is registered for each entry.
|
| I am using the MS Authenticator for years and I've never had any
| problem of that sort, and of course, I am always using the same
| email as my account/username.
|
| Anyway, I'm just putting the result of my test. It's not like
| this going to change your mind about the authenticator or
| Microsoft itself here...
| 3np wrote:
| Which platform? Supposedly the issue ("feature") is specific to
| the iOS version?
| NotACracker wrote:
| Android
| CatWChainsaw wrote:
| A whole different type of "too big to fail", and a great
| demonstration of why putting the keys to your kingdom in
| Microsoft's/Google's/Apple's hands is a stupid idea.
| halfcat wrote:
| Is AWS any better, or what's the solution? Most businesses
| aren't technical and don't need to be in the
| authentication/security business.
| CatWChainsaw wrote:
| Greetings fellow feline, I am a microbiologist not IT. In
| that capacity, the only general suggestion is to have
| redundant authentication measures that cannot all be crippled
| by one source like this. I can't imagine it's popular, or
| easy, for a company to want to be able to use multiple
| authentication schemes, but this sort of situation shows why
| lock-in is a bad idea.
| ReptileMan wrote:
| And keepass keeps complete history since the file was created.
| Someone was really sloppy in Microsoft in the design phase.
| motohagiography wrote:
| some security products seem like they are designed to discredit
| security as a field. imo the market is just at the point of
| backlash against the decadent stupidity in that cost centre. if
| you are going to humiliate people by making them jump through
| hoops 10x a day with context switching 2FA tokens and make
| serious people with educations and responsibilities use words
| like "smishing," you better be sure that hoop is the finest
| example of engineering _anywhere_. the solution has become the
| problem. I 'm calling the peak.
| jokethrowaway wrote:
| Are we again in a Microsoft 2000 phase? It seems like everything
| Microsoft is broken these days.
|
| GitHub barely works after the acquisition. Azure is a joke. Teams
| is the bane of my existance. Outlook is the second one.
|
| Do they need to ask harder leetcoding problems during the
| interviews?
| FridgeSeal wrote:
| Are they actually capable of releasing _anything_ good?
|
| I guess C# isn't horrible? It's far from a language I want to
| use, but it's not teams level of atrocious, so they've got that
| going for them I guess.
|
| VSCode is pretty good, but not good enough to stop me migrating
| off the second a more viable editor arrived.
|
| Word and office have degraded into a "doesn't aggressively
| fail" sort of scenario, so they're not "good" they're just
| incumbent.
| elmo2you wrote:
| > VSCode is pretty good, but not good enough to stop me
| migrating off the second a more viable editor arrived.
|
| If you're interested, there is VSCodium (VCCode without the
| Microsoft/proprietary parts). There's also Theia, if you want
| to take things a step further away from Microsoft.
|
| > I guess C# isn't horrible? It's far from a language I want
| to use, but it's not teams level of atrocious, so they've got
| that going for them I guess.
|
| No clue if this is true for other companies, but I know a
| company that does big outsourcing project and most of them in
| C#/.NET and Angular. I've seen plenty of that code. My
| impression was/is that most of the C# code was extremely
| basic and mostly just tying together all ready-made
| libraries/features/frameworks/services (which Microsoft
| provides on their platforms/products) that actually made up
| the apps/services. C# itself just isn't all that much. Apart
| from maybe a gateway to guaranteed vendor lock-in. Maybe that
| is why they made sure to not mess that one up ;)
| resource_waste wrote:
| Microsoft is a legacy company and soon to be zombie company.
|
| I think you'd be out of your mind to start a new company and
| use Microsoft for anything except Excel.
|
| The only reason my company seems to use it, we have software
| from the 2000s that only runs on Windows. Maybe there is some
| backdoor bribery going on, because someone decided sharepoint
| was a good idea.
| coding123 wrote:
| Has anyone else noticed it's not possible to have an account that
| you can log in anymore? Locked out by AI, locked out by
| suspicious activity, locked out due to lost phone, lost authy,
| broken everything. You drive an RV? locked out due to location
| change. You have a common name? Locked out. Have a foreign name?
| Locked out.
| concernedctzn wrote:
| using microsoft authenticator I just ran into this recently and
| searched to find it's a known issue that microsoft has no
| announced plan of fixing. Strange to see it pop up here
| separately, I guess it's becoming more common. I knew to cancel
| the dialogue and manually add the account without the QR code to
| workaround it but I'm sure plenty of people will have their
| accounts locked because of this
| datavirtue wrote:
| I need a good authenticator app, I guess. I'm using Microsoft's
| and have a lot of different stuff in there. I may have run into
| this already but don't know it.
| pndy wrote:
| Try 2FAS - it works without cloud, can import from few other
| apps (sadly not from Microsoft one) and can export from and
| import to a file. Works on Android and iOS
|
| https://2fas.com/
| todotask wrote:
| One of this reason, I can think of having Passkey can be a better
| advantage over relying on centralised account management?
| NikhilVerma wrote:
| A similar thing has happened with Twitter. After the Musk
| takeover and the removal of SMS for auth something has changed
| they keys of the 2FA authenticator. My old keys don't work and my
| "ticket" has been waiting on Twitter support (which were probably
| all fired) for resolution.
| justinclift wrote:
| "Microsoft is the Boeing of software."
|
| Seems like an apt description. :)
| t00 wrote:
| Even for Microsoft accounts, use an alternative app for 2FA/MFA.
| Recently I switched to the open source Aegis, which allows
| encrypted backups and does not have the issue described.
| kaffeeringe wrote:
| It also tracks your position all the time. That is the bigger
| problem to me. https://reports.exodus-
| privacy.eu.org/de/reports/com.azure.a...
| vladvasiliu wrote:
| Interesting, on iOS it didn't even ask to use the location.
|
| Do they do it because they can? Haven't used Android in a long
| time, but I had the impression that they also introduced finer-
| grained permissions, as opposed to blanket approve / deny
| everything the app asks for.
| rmholt wrote:
| Android definitely has fine grained permissions. In fact my
| phone asks me each time a new app wants to use my location.
| Interestingly enough, I don't recall seeing a location prompt
| for Google's services
| vladvasiliu wrote:
| > I don't recall seeing a location prompt for Google's
| services
|
| I don't recall a prompt for Apple's services, either. But
| you can revoke the permission, at least for some of them.
| Mathnerd314 wrote:
| > This report lists trackers signatures found by static
| analysis in this APK. This is not a proof of activity of these
| trackers.
| KMag wrote:
| I lost a few GMail accounts because I changed countries and
| computers since I created them. I tried logging in, Google said
| my password was correct, but both the device and the IP were
| unfamiliar. I don't recall exactly what was wrong with using the
| recovery address to recover from the problem, but that didn't
| work, despite my still having access to my recovery email
| address. I think I might need to be able to tell Google what my
| recovery email address is, and I may have used one of those
| randomized + suffixes to my recovery address.
|
| I used to use Google Authenticator with my GMail accounts, but
| disabled that out of fears it's just one more thing to go wrong,
| with Google providing little recourse.
|
| My password is a bit over 96 bits of entropy, generated by
| extracting 256 bits from /dev/urandom as a multi-precision
| integer, divmod'ing to extract one instance from each of the
| character classes (digit, lower, uppper, symbol) and then the
| rest from the combined alphabet (digit + lower + upper + symbol),
| and finally the leftover entropy used for Fisher-Yates shuffle of
| the password so the first digit isn't always a digit, etc.
| Passwords are per-site, stored using a gpg-based password manager
| I wrote in the early 2000s.
|
| MFA would still help for some types of ongoing active compromise,
| but not for dumps of password hashes from a DB compromise. It
| really kills me that recovery from my recovery email address
| doesn't work, even though I know my password.
|
| Honestly, if you haven't logged in from anywhere in a few months
| and you have the correct password, they should at least just send
| some verification link/code to your recovery address without
| requiring you to tell them your recovery address. Sure, maybe
| don't say where you're sending the recovery link, but turning the
| recovery address into another password you need to memorize
| without ever telling you it's some weird combination of recovery
| email address and recovery password is just highly annoying.
| aflag wrote:
| And the fact that there's no one to talk to means that if
| computer says no, that's it.
| alchemist1e9 wrote:
| There is absolutely nobody. It's crazy. Realizing how
| dependent I am on gmail has been scary.
|
| I've started a project to attempt to move to my own domain
| and self hosting full email stack. It's a huge amount of
| work. However the power Google has over me, should my gmail
| account be hijacked or turned off is incredible.
|
| Starting from the bottom is the security of the domain
| registrar and DNS records. It looks like there are some good
| options, though obviously with additional price. Basically
| you have to use the corporate services with additional
| security features.
|
| The self-hosting email and server security is something I
| have the background to handle.
| 8organicbits wrote:
| I recently tried Google support for an issue with an out of
| support Pixel I was messing with. I assumed I'd get a "sorry
| that device isn't supported" response, but they gas-lit me,
| claimed that they could help, and proceeded to send me
| completely unrelated links until I gave up. Links unrelated
| to the Pixel and the problem I was facing.
|
| I think I was talking to a bot and they made it appear human
| by slowing everything down so the whole exchange took 30
| minutes, but maybe it was just a human following a script.
| Either way, it was worse than if they didn't have support
| since they just wasted my time.
| notRobot wrote:
| You would have received a notice to your recovery email when
| you added it to the account in question and you might be able
| to find that email in your inbox and figure out the randomised
| suffix in the "to" field.
| mihaaly wrote:
| Damn! I did not know that.
|
| I set recovery address to an other (dormant) gmail account,
| just to aggravate the risk put upon me! :D (I do not trust
| google now with more data than I already given and must give,
| see later)
|
| I need to speed up the migration of my email life to the paid
| account I initiated and testing (protonmail) because some
| serious problem could emerge otherwise (there is an
| international move on the horizon). I started to give gmail to
| various governmental (taxation, healthcare, authorities)
| organizations when it was innocent, as contact of the account
| used for light things at the time, when everyone started to
| discover how to manage bureaucracy online. Which succeeded and
| my gmail became an important tool managing matters throughout
| some international moves. Some accounts here and there are
| dormant but still with important matters that I might need once
| (how is it with that many years valid Australian travel
| authorisation or what that I did not need last year?...). Still
| gmail was innocent enough, despite the mass surveillance sped
| up, which was a bit inconvenient feeling but rarely got any
| real secrets or deeply persoanl matters apart from the fact I
| have dealings with that organization here and there. But now,
| as online administration is borderline mandatory being other
| means left to the bare minimum (when I am sent online in an
| office for something, that's a turning point in mind) or in
| other country. Gmail is very inconveniently in the center with
| all the worrysome things their automated bots carry out against
| unsuspecting user without mercy and appeal, that the migration
| process had to be started. Hence test with protonmail. But it
| so damn widespread now, I have not enough time going through
| all, some forgotten and need to dig into faint memories, it is
| torture. But has to be done. Has to be done.
|
| Our twin girls should not be put up with the mercy of google
| bots when they get into the age of requiring email for official
| matters.
| franga2000 wrote:
| > leaving IT experts wondering, 'Why would you pick Microsoft?'
|
| Well I can tell you why people pick MS Authenticator - it's
| because microsoft basically forces it on you, uses dark patterns
| to avoid letting you use any other standard OTP app and doesn't
| give admins the tools to disable it.
|
| As an admin, I can disable every single MFA method individually,
| including TOTP, but Microsoft Authenticator is force-enabled.
| When users go to enable TOTP (or are forced to), the option is
| called "Microsoft Authenticator", not something more generic. The
| QR code they get is not a standard TOTP one, so any other client
| will reject it. There's a small link below it letting you "use
| another app" which finally gives you a real TOTP QR code. This is
| INSANE!
| kaveet wrote:
| Microsoft admin isn't my day job, but I dealt with this exact
| thing the other day--the toggles for Microsoft Defender MFA are
| spread across Entra ID policies, Registration Campaigns, per-
| user settings, and more Microsoft subdomains I'd never heard
| of. After two hours the best I could do was add a Skip button
| to the MFA prompt when our users sign in.
| surfingdino wrote:
| That's how they play
|
| https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor...
| .
|
| https://en.wikipedia.org/wiki/Criticism_of_Microsoft
| ncr100 wrote:
| Lawsuit? Were these folks defrauded out of money due to the
| extra costs incurred?
| Spooky23 wrote:
| In enterprise, subscription utilization is what pays the sales
| team. They are eventually get canned if you don't use the
| suite.
|
| They'll send some goons to let the CEO/CFO know you are a
| spendthrift.
| devjab wrote:
| I use the MS app for work, as it's required as you say. I'm not
| sure our first-line support really minds though, as if people
| weren't using this then they would be supporting a range of
| apps. It's obviously unfortunate that it sort of sucks for them
| that they have to reset these things for people all the time,
| but I guess it's the lesser of multiple evils.
|
| That being said, maybe we should advise employees that they
| shouldn't use it for personal things even though they have it
| as it sucks.
| devjab wrote:
| I use the MS app for work, as it's required as you say. I'm not
| sure our first-line support really minds though, as if people
| weren't using this then they would be supporting a range of
| apps. It's obviously unfortunate that it sort of sucks for them
| that they have to reset these things for people all the time,
| but I guess it's the lesser of multiple evils.
|
| That being said, maybe we should advise employees that they
| shouldn't use it for personal things even though they have it
| as it sucks.
| reaperducer wrote:
| _if people weren't using this then they would be supporting a
| range of apps._
|
| Or one single better non-Microsoft app.
|
| But making people fear that using something else is
| complicated or expensive is how Microsoft makes money.
|
| If you can't compete, confuse.
| xorcist wrote:
| Is this not how pretty much all IT megacorps operate?
|
| Microsoft has historically pursued these aggressive embrace-
| and-extend tactics very successfully.
| tjoff wrote:
| And you have to do the "use another app" dance on every single
| login too... You know I have TOTP setup, you know I'm not using
| MS Authenticator.
|
| To make matters worse(?), I have not been able to login to
| Teams at all in the last two weeks. I select "use another app"
| ... and nothing happens. Sigh.
|
| It is astonishing how bad we can make software today. We used
| to at least _try_.
| creshal wrote:
| Works On My Machine (tm), your org's admin team probably
| missed a hidden checkbox that gets moved around between admin
| pages every odd hour (except on days divisible by 4, where
| it's missing entirely) (except during chinese new year)
| (except when that overlaps with a leap year) (except when an
| odd-numbered amount of users has the wrong license), but you
| can probably also do it powershell (except it's undocumented)
| (and deprecated)
|
| ...yeah, I don't know either why peopler dislike modern
| Microsoft.
| sschueller wrote:
| We noticed this crap when we rolled out MS365. We immediately
| told all users to not use the MS authenticator.
|
| The fact that Microsofts still hasn't fixed this should put in
| question their priorities in security and safety of all other
| products as well. This is just unacceptable.
| nottorp wrote:
| Yes, when you add one more device between you and your data you
| are now dependent on it functioning correctly.
|
| Today it's a MS fuckup, but any such system could malfunction.
| EGreg wrote:
| I have been recommending for years that people have a DIFFERENT
| email alias for evey service
|
| Email aliases look like yourname+somealias@gmail.com
|
| This also helps avoid social engineering attacks when people call
| into your provider:
|
| https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...
| mihaaly wrote:
| "it was the fault of users or companies that use the app for
| authentication" MS said.
|
| Spot on right. They should have been more prudent in selecting
| services. Absolutely right, users' and clients' fault it is!
|
| You see a smug bastard company that hurts the client they live on
| because they provide faulty service, they hurt repeatedly, in
| thick queue throughout time, for long time, fault after fault
| after fault and just release the smear the responsibility
| elsewhere department on the clients complaining, whatever the
| official title of this department is, PR or whatever, while the
| issues are reported in news everywhere, publicised, then who
| would you blame? The company, or the clients still choosing the
| company against common sense and own experience?
|
| The case touches me because I am approaching a job where I would
| not use Windows anymore, I am tired of the Windows ecosystem. It
| only makes life differently complicated, or many times more
| complicated, more difficult to do my job than without it. I have
| not enough time listing how many things they made much worse in
| the past decade or more that my every day is a swimm through the
| flow of piss MS releases day after day at all of us. They were
| better in some short period long ago, only partially still, after
| some very bad historic period, now they are determined that with
| hard work they will f up all what is left.
|
| I have a friend working on the MS Teams. He is very busy, working
| hard, they will release some sort of AR meet feature, packed with
| complex and revolutionary (i.e. experimental) approaches so you
| could enjoy solutions that probably will work ok and not annoy
| you with visual artefacts and problems not eliminated before
| release, with the headset you require for it, probably will not
| be forced on you but likely annoy the hell out of you by the pop
| up promotions when you try to do your urgent job after a critical
| update. Who the f needs that? While the Teams is a mess to work
| with already with lots of noise and half cooked bloated whatevers
| already being a distaction, not helpful, not at all. Probably
| only the call quality is the only good in it by now, but that was
| purchased from elsewhere, that was given to them. They are so
| good making things too complicated and being unable making it
| well because it is too complicated to do well, too expensive, so
| let's just release a half cooked one and leave it there for
| decades (like the dialogs in Windows) and put the blame on
| elsewhere by the put the blame on elsewhere department put
| together precisely for this.
| briffid wrote:
| I have many accounts with the same user names, and they don't get
| overwritten. There might be some design flaw somewhere, but it's
| surely not what the article states, ie. that you cannot have the
| same username on different sites.
| mattmaroon wrote:
| Same. I mean I don't doubt some bug exists, but I use it on
| iOS, almost always with QR codes and the same email address
| with no issues. I quite like the product. I switched from
| Google and it's been much better.
|
| I am sure whatever is going on, it's a bug and not a feature.
| todotask wrote:
| When I tried to sign up for Hotmail account, the challenging step
| I have to solve isn't friendly for my impaired eyesight.
| tropicalfruit wrote:
| this is really a serious problem.
|
| some of those captchas are bordering on hostile.
|
| a lot of things are designed with total disregard for access
|
| try to zoom your phone and half the buttons your apps will
| disappear
|
| enable "zoomed" on iPadOS and you can longer scroll to the
| bottom of long settings menus.
|
| so many things
| arianvanp wrote:
| Safari had a similar bug where it would just overwrite your
| passkey with no warning whatsoever -- completely locking you out
| of your account. It has since then be fixed but this caused me to
| lose access to my GitHub
|
| https://bugs.webkit.org/show_bug.cgi?id=270553
|
| Safari still has some bugs where it can't discern between
| websites hosted on different Subdomains except for hardcoded
| exceptions and it will override password of one subdomain with
| the other. Happens to me on a monthly basis.
| __jonas wrote:
| Odd, I just received this email from MS that looks a lot like
| phishing but seems not to be?
|
| > Action required: Enable multifactor authentication for your
| tenant by 15 October 2024
|
| > You're receiving this email because you're a global
| administrator for [Literally a UUID here, no organization name or
| anything] Starting 15 October 2024, we will require users to use
| multifactor authentication (MFA) to sign into the Azure portal,
| Microsoft Entra admin center, and Intune admin center. To ensure
| your users maintain access, you'll need to enable MFA by 15
| October 2024.
|
| > If you can't enable MFA for your users by that date, you'll
| need to apply to postpone the enforcement date. If you don't,
| your users will be required to set up MFA.
|
| > Action required
|
| > To identify which users are signing into Azure with and without
| MFA, refer to our documentation. > To ensure your users can
| access the Azure portal, Microsoft Entra admin center, and Intune
| admin center, enable MFA for your users by 15 October 2024. > If
| you can't enable MFA by 15 October 2024, apply to postpone the
| enforcement date.
|
| The thing is, I'm not administrating any organization with
| Microsoft.
|
| I have a private office365 family account or whatever it's
| called, and I have 2FA set up for my account, I have no idea what
| they are on about, especially because the email doesn't contain
| even my name or the name of the supposed organization, just some
| ID.
|
| It's definitely an Email from Microsoft though.
| cheschire wrote:
| Login to azure portal. You should see a similar message that
| redirects you to the relevant resource
| __jonas wrote:
| Spot on! It was in fact some Azure account I made years ago,
| in hindsight, it did say to log into the azure portal right
| in the email. The random UUID instead of salutation threw me
| off a bit.
| xattt wrote:
| I don't see what the issue is. People could plan ahead and just
| write the six digit code in a notebook as a backup.
|
| /s
| causality0 wrote:
| Well damn. I've used Microsoft Authenticator for years and just
| happened to have never used the QR code feature. Is there an easy
| way to migrate all the data into Google Authenticator?
| ta988 wrote:
| This is not a software engineer issue, it is a product manager
| issue, whom relentlessly ignored users' complaints.
| Obscurity4340 wrote:
| KeePass, peeps
| markuta wrote:
| What's also annoying is that some MFA providers like Microsoft
| Authenticator and Authy lock you into their platforms, no export
| or offline backups features, at least without a rooted phone.
| websap wrote:
| wait a second, what? If I use the same email for another account,
| I could get randomly locked out from some other account.
|
| I just checked my app., there are 2 different emails for 2
| entries, other entries are provider specific.
|
| Is there a good way to migrate from MS Authenticator and what
| options do I have?
|
| One of the entries without the Issuer correctly set is
| Outlook.com itself. WTF!
___________________________________________________________________
(page generated 2024-08-18 23:01 UTC)