• CarbonScored [any]@hexbear.net
    link
    fedilink
    English
    arrow-up
    37
    ·
    edit-2
    11 months ago

    Every ‘passwordless’ solution to passwords always ends up being the informational equivalent of ‘passwords, but the method is changed’. Biometrics are just a once-in-a-lifetime password that’s entered differently, password managers are just all your passwords, but behind one big password.

    Even 2FA is just “password you know” and “password your device knows”.

    Not saying these solutions don’t have value, but to say passwords are outdated is a bit silly.

    • WayeeCool [comrade/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      11 months ago

      USB/NFC hardware keys are pretty good though, they are just the current form of smartcard hardware keys that have been around since the late 1990s for high security environments. If you worked for certain federal agencies or private sector companies, you might have used them. They are old technology at this point that has more recently been introduced into the consumer space as platforms and companies face backlash for constantly having security breaches.

      • CarbonScored [any]@hexbear.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        11 months ago

        I have used them (coincidentally, with Okta), and they are pretty neat! I actually choose to use them instead of a smartphone app where I can, because it’s much faster to use. I’d recommend them to companies as a good measure.

        They are still effectively 2FA where it’s just a lot harder to work out the proprietary system with which the password is encoded. So it is a sort of a ‘security by obscurity’, but the likelihood of someone going through all the work to disassemble your key and work it out with you noticing / before the key gets invalidated is pretty low, so unless you’re protecting something super-duper high value (and assuming the manufacturer hasn’t screwed up too badly), they’ll do a good job.

  • nat_turner_overdrive [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    33
    ·
    11 months ago

    Guy who thinks passwords are outdated, setting a new password for his bank app: Hmm, how about Christmas123!, just like all my other logins so I don’t have to worry about forgetting it!

    • zifnab25 [he/him, any]@hexbear.net
      link
      fedilink
      English
      arrow-up
      11
      ·
      11 months ago

      A fundamental problem with passwords is that you either have a “secure” selection of large, distinct, constantly rotating codes that you have to keep track of on paper/in an app (insecure!) or a single memorable code that - once it is cracked - exposes all affiliated systems (insecure!)

      There’s a serious argument to the effect that a physical id tied to a digitally managed rotating set of large arcane codes is at least as secure as the paper/app-based list of hard codes. The big problem with this technology is that it requires a more complex hardware interface with more attendant IT support. So you’re talking about $$$ that people don’t want to spend for additional technical security.

      Two-factor authentication is cheaper and easier than biometrics. So we’ve settled on that instead.

  • Wertheimer [any]@hexbear.net
    link
    fedilink
    English
    arrow-up
    27
    ·
    11 months ago

    I was talking to a schoolteacher the other day who was getting re-fingerprinted for the Nth time. Their last fingerprinting was two years ago. Same job, same county, etc. Everyone was justifying it because of “privacy.” But, like, it’s all going to the same database, where the same people have access. Are they destroying the records every two years (doubt ), or did the authorities just forget their own passwords?

    • 7bicycles [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      27
      ·
      11 months ago

      If you get into the reaaaaaaaaaaaal nitty gritty of security regarding biometric factors shit turns real weird eventually. Like “How do we know that fingerprint is still attached to a living person?” type stuff.

      I’d be sure as hell this isn’t what happened here, just sort of a fun fact. Also why I think thinking biometric factors as safe is fucking insane, exactly because they’re fairly immuteable. You get one data leak on your fingerprint-security-database and now you can never use that shit again if you’re taking it seriously. And if you don’t expect nation-state-level actors as a threat vector, why the fuck are you taking fingerprints?

      It’s mostly just technologically illiterate people falling for it imo

      • Frank [he/him, he/him]@hexbear.net
        link
        fedilink
        English
        arrow-up
        11
        ·
        11 months ago

        Mmm.

        I should go print a silicon printer that can make fake fingers based on, idk, someone’s fabvorite ice cream flavor or something. Really hasten the slide in to the security abyss.

        Either way, I still use passwords for everything, and every password is unique. Biometrics my right tit they don’t even have t beat that out of you, then can just cut something off. At least with the password manager it has to either have a vulnerability or they need access to state-level legal muscle to force the people who designed it to open the lock. Plus if one password gets compromized nothing else is unless it’s the master, and even with the master they still need access to the password locker to do anything with it.

        • 7bicycles [he/him]@hexbear.net
          link
          fedilink
          English
          arrow-up
          14
          ·
          11 months ago

          I should go print a silicon printer that can make fake fingers based on, idk, someone’s fabvorite ice cream flavor or something. Really hasten the slide in to the security abyss.

          Pretty much everytime you look into this type of stuff “good print of fingerprint” does the job just fine, you don’t even have to get that fancy with it.

          Biometric security is better understood as a convenience product.

    • 4zi [he/him, comrade/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      11
      ·
      11 months ago

      I’ve asked the county clerk this once when I had to get my fingerprints done just because I was working in a different building 3 blocks away, but basically every time you renew certain trainings or certificates it’s required regardless of how many times you’ve done it before

      • Wertheimer [any]@hexbear.net
        link
        fedilink
        English
        arrow-up
        11
        ·
        11 months ago

        I did some googling and this was the best explanation I could find. (Most everything else was just “because that’s the requirement.”)

        Maybe I’m too paranoid but I still think the feds would figure out how to fuck with me, if they wanted to, based on the prints I had taken for a job I held >10 years ago.

          • 7bicycles [he/him]@hexbear.net
            link
            fedilink
            English
            arrow-up
            9
            ·
            11 months ago

            I feel like this is a very Chief Wiggum moment in the sense that it wouldn’t help to prove you got your bike stolen but it would help to pinpoint you at the scene of some crime

  • save_vs_death [they/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    25
    ·
    11 months ago

    Passwords are outdated in the sense that the current best practice is to use a password manager that automatically generates a unique high entropy password (read: completely garbled mess no human would ever remember) for every website or service you use. Most of the replacement for them, however, are less secure garbage that can easily be obtained either through social engineering or by the authorities, so you know.

    • envis10n [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      15
      ·
      11 months ago

      Even then, you’re better off with a passphrase as they are longer, easier to remember, and are harder to brute force. It’s like a dictionary resistant password.

      • YearOfTheCommieDesktop [they/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        13
        ·
        edit-2
        11 months ago

        depending on what you mean by passphrase, “dictionary resistant” is kind of the opposite of how I’d describe them. Sure they’ll be long and unique but an english language dictionary will surely make bruteforcing them a lot easier

        • Frank [he/him, he/him]@hexbear.net
          link
          fedilink
          English
          arrow-up
          7
          ·
          11 months ago

          From what I understand it doesn’t help at all. I’m not a crypto (cool crypto, not fake banking) guy but from what I know passphrases generate much entropy. That said, I stick with passwords that are easier to enter, but still pretty high entropy

          • YearOfTheCommieDesktop [they/them]@hexbear.net
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            11 months ago

            hmm. you know I haven’t done the math in a while but you might be partially right. It definitely does still help to use a dictionary for passphrases, but especially if you include all the words in the english language, not just a much smaller subset like diceware, and if you add anything to dress it up a little, it can still be pretty hard to crack… before password managers were a thing I was known to do like 3-5 random words plus 2-4 digits, and maybe a punctuation character if I was feeling spicy. A pre-calculated hash/rainbow table attack is not feasible if the password hashes are properly salted but a plain wordlist/dictionary attack still is

            For the curious, I came up with something like 650-700 years on average to crack a 4 random word passphrase at 20 billion tries/sec (that rate was a real life example sourced from some pentesting firm’s site) if your word list includes every last word in modern use in english (171000 words). If your wordlist is only 2048 common words (like diceware) though, that’s like 10 minutes or less.

            xkcdpass (based on the well known comic) by default uses the EFF’s long wordlist, which is 7776 words I believe, so a 4 word passphrase from that would average about 24 hours to crack at that same speed. Not great but if you spice it up with digits, special chars, etc then maybe that’s okay for the average person. But it’s pretty long to type out especially on mobile.

      • Clicheguevara [he/him]@hexbear.net
        link
        fedilink
        English
        arrow-up
        11
        ·
        11 months ago

        The absolute best practice is to add random spaces that don’t correspond to syllables. A 10 character password can go from taking a few seconds to crack to several hundred years with a few well placed spaces.

        That said, there are databases out there that don’t like spaces, and for some reason lots of financial institutions are this way.

      • Sphere [he/him, they/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        10
        ·
        edit-2
        11 months ago

        A randomly-generated password can be a lot shorter than an equivalent-strength passphrase, actually:

        If you have a dictionary with 25,000 words in it, and you randomly select 5 of them, your passphrase will have a strength of about 73 bits of entropy, which is decent (but actually less than the NIST recommendation of 80 bits, as it happens; to get there, you’d need 6 words).

        A similar-strength randomly-generated password consisting of letters (upper- and lower-case), numbers, and a selection of 10 possible symbol characters (so, a total spread of 26 + 26 + 10 + 10 = 72 possible characters) would only need to be 12 characters long (and would have a strength of about 74 bits of entropy–13 characters would top 80 bits).

        The passphrase would take over 300 years to brute-force at 1 trillion guesses per second, but the extra bit of entropy in the 12-character password means it would take 600 years to guess that one at the same rate.

        • envis10n [he/him]@hexbear.net
          link
          fedilink
          English
          arrow-up
          5
          ·
          11 months ago

          I use randomly generated passphrases that do use symbols and integers. It’s easier to type if I’m copying it from my manager manually. I really dislike the focus some services have on maximum length.

          My argument would be that 300 years vs 600 years is meaningless when the human lifespan is so much shorter. At that point, who gives a shit? I’ll personally take a passphrase I can easily remember over doubling the already insanely long amount of time it would take to brute force the phrase.

          Most people pick bad passwords because it’s easier to remember. Why not encourage them to use something that is both easy to remember AND more secure than the original?

          The other aspect is the actual hashing algorithm used for storing and validating the input. Using a system that allows for artificially inflating the amount of time required (bcrypt rounds for example) makes it easier to mitigate a brute force attack. If the service is using an algorithm that is ready “broken” then it really doesn’t matter what you used as the input.

          The goal is not to reach the most secure system, rather to increase overall security by getting as many people to use things that are better than before while balancing usability. There’s a reason not everyone uses 2FA, or has physical devices for it.

          • Sphere [he/him, they/them]@hexbear.net
            link
            fedilink
            English
            arrow-up
            7
            ·
            edit-2
            11 months ago

            Well, I used 1 trillion guesses a second here. 10 years ago I’d have used 10 billion. So length does matter. And 300 years drops to 1 year if a dedicated attacker is willing to spend a good bit more on hardware (which, in the era of cryptocurrency, could actually be worth it, even just for a criminal).

            And yes, sites should use good hashing algorithms, but we users can’t count on them doing so. Plus, even a technically-but-not-practically broken hashing algorithm isn’t so broken as to be equivalent to plaintext storage (unless it’s unsalted), so it’s less about specific algorithm choices and more about overall design security.

            Not saying passphrases are useless, but password managers are the better technological path, in my opinion, because they obviate the need to remember more than just one password, and allow to you skip typing in passwords too (in fact, a pw manager is better for passphrase users, because they they can still use memorable phrases but don’t have to type them in all the time).

            And as it happens, my master password for my pw manager was originally a 6-word passphrase, but has since been changed to a 20-character randomly-generated password, because it’s a ton easier to type, particularly on mobile.

            • envis10n [he/him]@hexbear.net
              link
              fedilink
              English
              arrow-up
              5
              ·
              11 months ago

              Absolutely agree on the usage of a password manager. And yes, as hardware increases in power we run into the issue of timelines being shorter. I disagree on MD5 being not totally broken, considering a collision can be found in seconds on even low end hardware these days. Even salted, a collision would still be viable.

              Again, the real problem overall is adoption. Getting people to use better passwords/phrases that are less likely to be brute forced. Everyone should be using non-SMS 2FA, ideally with an authenticator app or physical key. As well, password length should only be limited by a minimum value rather than being in a small range. Services should be using algorithms that are recent, well audited, and have the ability to artificially inflate the time taken to get the result for future-proofing. SSO is also an option, since services without IT departments or people with the ability to handle passwords should offload it to a service that can. SSO as a service provider is very appealing, as you no longer have the responsibility of storing sensitive hashes and account information.

              • Sphere [he/him, they/them]@hexbear.net
                link
                fedilink
                English
                arrow-up
                6
                ·
                11 months ago

                Was not aware of the latest efforts on MD5, in all honesty; I take back what I said before.

                I agree with everything you said there 100% except the bit about SSO. SSO is great for people working in managed environments (I wish my workplace would make broader use of it, honestly), but expanding it to everyone as a whole creates some serious issues (putting everyone’s eggs in the same basket is a security risk, and worse, having a centralized third party notified of every login request totally undermines user privacy).

                • envis10n [he/him]@hexbear.net
                  link
                  fedilink
                  English
                  arrow-up
                  4
                  ·
                  11 months ago

                  I don’t mean to imply that it should be everywhere, rather it is appealing as an option when the only other option is to roll your own setup.

                  It’s useful for connected services, orgs, etc. Especially when it comes to easily setting up access controls. But you’re right, it’s not a solution that should be used everywhere due to the fact that a single point of failure is bad.

                  Btw this has been a great discussion and I hope that others reading this might help further the goal of creating a safer internet

      • 4am@lemm.ee
        link
        fedilink
        English
        arrow-up
        8
        ·
        11 months ago

        That’s why stuff like webauthn is better; if we’re going to maintain a list of garbled text, let’s make it secure one-way encrypted keys instead, which are way stronger.

        You’re still only as secure as your password manager, but no one’s gonna decrypt your private key from a stolen database of public keys unless some really monumental exploit is discovered - and if that happens we’ve got MUCH bigger problems.

  • D61 [any]@hexbear.net
    link
    fedilink
    English
    arrow-up
    16
    ·
    11 months ago

    Me just sitting here installing a pin tumbler lock on my computer that I need to turn every time I want to log in to a website

  • SILLY BEAN@lemmygrad.ml
    link
    fedilink
    English
    arrow-up
    15
    ·
    11 months ago

    ummm have they heard of ‘passkeys’? like that thing that solves all these issues without any biometrics and personal information and cant be stolen as easily? like one login on a malicious device, and boom all your biometric data is now in the hand of the attacker. physical passkeys? good luck compromising that lol

    also yes, this is obviously so cops can get to into your stuff and company’s can collect your biometric data

    • YearOfTheCommieDesktop [they/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      9
      ·
      edit-2
      11 months ago

      to be fair the way most fingerprint scanners are implemented it isn’t possible to extract the actual fingerprint (that I know of). but with a malicious device I guess they probably could procure a different type of scanner

      Agreed tho I will stick with a master password I know and a hardware token that I have, probably until I die, unless something way better comes out that doesn’t allow legal compulsion

      • SILLY BEAN@lemmygrad.ml
        link
        fedilink
        English
        arrow-up
        7
        ·
        11 months ago

        that true, and i guess it is worth mentioning that many physical passkeys use fingerprint scanners. the only difference is that your fingerprint never gets send on the internet at all

        • YearOfTheCommieDesktop [they/them]@hexbear.net
          link
          fedilink
          English
          arrow-up
          6
          ·
          11 months ago

          yeah, once you get into identifying users across devices with fingerprints I get way more skeptical. But local-to-device fingerprint scanners usually just generate and match identifying material internally, if anything goes to the host OS it’s just like, a hash or something, iirc.

  • Ericthescruffy [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    9
    ·
    11 months ago

    Passwords are fine with two factor authentication right? Like I have two factor authentication on my phone for pretty much everything either through text or a full on authenticator app.

      • Goferking0@ttrpg.network
        link
        fedilink
        English
        arrow-up
        13
        ·
        11 months ago

        Is it bad I couldn’t tell if this was going to be that breach, which probably wouldn’t have been disclosured if one of their customers hadn’t reported it, or a new one?