GRcade

I put a padlock on my laptop so you can't open it. Haven't had any viruses yet

satriales wrote:

OrangeRakoon wrote:Adblock plus and noscript in browser, then you're already halfway there.

I think Ublock Origin is usually recommended instead of AdBlock Plus these days. AdBlock used to whitelist ads if the advertiser paid them money, but not sure if that still goes on.

They still do, but you can turn them off in the settings.

Meep wrote:Another reason I was considering Bitwarden is that is open source, which means I am naturally more inclined to trust the software rather than the proprietary methods used by Dashlane and LastPass. I know that's a bit paranoid but anyone who reads the news these days can't help but be paranoid where data is concerned.

I mean, obviously they can't sell on passwords and it would be dumb to think they would but the data about what sites I use and what accounts I hold would be pretty valuable.

I do something a bit different, I use keepassX which is an open source cross format password manager and I store that database encrypted on Dropbox, then just sync that file across all devices to sync up and down to it when changes are saved. It's easy to just copy and paste from it with a shortcut (the clipboard gets cleared after a couple of seconds, if you have something reading your clipboard you have other problems) and that way I have no proprietary or 3rd party uptime etc dependence, and a biggy is I can back up and take offline that data whenever and wherever I want, slit it out to another database or just export it as text if I really have to. Been doing it for about 10 years at least and never have any problems.

There's a free utility called DropSync for android that will sync one file or folder for free as Dropbox doesn't actually do that, it downloads temporary copies of files and then saves them but it doesn't 2 way sync. Unfortunately I have to periodically open the database again in "mini keepass" for iOS as that doesn't sync so if I create a password there I have to make a note of it to encrypt it later. Might be able to play with offline mode for that file and get it syncing, I haven't looked at it for ages. I think the problem is when you open a file from Dropbox in some iOS apps it just copies it to memory instead of directly accessing the file so you can't save to the same actual file so to speak.

I don’t think I have anything on any device I have but never had a problem

On the subject of passwords, the work behind WebAuthn is pretty exciting. It seems that one day soon, passwords will be obsolete. This is probably a good thing considering the recent massive data breaches, and the fact that the majority of people use terrible quality passwords.

Passwords are perfectly fine if you use them right, I don't even think password managers are necessary. They're just useful if people don't want to put in the effort otherwise.

Respectfully disagree. These days the average person has tens of accounts on various platforms and if you want real security you need alphanumeric passwords of sufficient length, different on each platform to ensure one being compromised does not compromise the others. If you happen to be a savant with photographic memory, great good for you, but us normals need a password managers. Password managers are essential if you want to maintain really secure password protection. The only alternative is either use the same password over and over, bad idea, or write your passwords down on somewhere that is not protected, really bad idea.

OrangeRakoon wrote:Passwords are perfectly fine if you use them right, I don't even think password managers are necessary. They're just useful if people don't want to put in the effort otherwise.

100% disagree with you. Passwords are far and away the weakest part of account security. The world, and the internet, will be better off without them.

That entirely depends on how strong your passwords are. As long as they are strong and unique then you won't have a problem.

Meep wrote:The only alternative is either use the same password over and over, bad idea, or write your passwords down on somewhere that is not protected, really bad idea.

Writing down passwords is not a really bad idea, as long as you keep them physically secure. Physical security is a lot easier than digital security.

OrangeRakoon wrote:That entirely depends on how strong your passwords are. As long as they are strong and unique then you won't have a problem.

The general advice is that if you can remember your passwords, then your passwords are too weak. All of this is a moot point since passwords will be obsolete soon enough, though.

I think you are overlooking a serious problem with biometric data. I mean, ultimately your fingerprint and other details need to recorded as data in order to validate access and that data can be copied the same as any other type of data. Anyone who can circumvent the measures in any instances and gets their hands on that data can then use it to unlock accounts. Good luck changing your fingerprints if someone gets hold of a reading. Biometrics are not some magical foolproof solution to security, in fact I would argue they are flawed for security purposes since people wear the data openly (you show your face everywhere in public and constantly touch objects and devices with your fingers) where anyone can record them.

Passwords have an advantage in that they are disposable. If one is compromised you just toss it and create a new password. No harm done. They are also, unlike biometrics, completely hidden from public view.

I would only really trust biometrics for all my security if it was accompanied with some form of memorable data, like a pin code or something, that is known only to me and can be changed if needed. Anyone can capture my fingerprint but they cannot stop me simply changing the pin or password associated with an account whenever I want.

I suspect we will see a lot more biometric authentication in future but it will be in addition to passwords and other memorable data. It will not replace them simply because it is not nearly secure enough to protect data on its own.

Meep wrote:I suspect we will see a lot more biometric authentication in future but it will be in addition to passwords and other memorable data. It will not replace them simply because it is not nearly secure enough to protect data on its own.

I recommend reading the spec behind WebAuthn. It may help assuage your doubts behind biometric authentication, if nothing else.

100% passwords are better than biometrics as an authentication method for those reasons - biometrics are not hidden and cannot be changed. Biometrics are good in combination with a password as a proof of identity. You should always combine something you are with something you know if you want to be secure.

Plus I'd rather not make my fingers a valuable target for criminals to cut off.

It's relatively easy to combine a cipher with long, memorable and unique phrases to create a password that is both strong and memorable.

Obviously password managers are easier. The trouble they are putting all your eggs in one basket. If that memory is read or someone does something as simple as watch or record you, they have access to everything if they can also obtain the database (that part should actually be more difficult).

2 factor is very good.

OrangeRakoon wrote:100% passwords are better than biometrics as an authentication method for those reasons - biometrics are not hidden and cannot be changed. Biometrics are good in combination with a password as a proof of identity. You should always combine something you are with something you know if you want to be secure.

Plus I'd rather not make my fingers a valuable target for criminals to cut off.

I mean, you're wrong, on multiple counts actually, but it's nice that you believe this so passionately.

2FA is correct, though; you should always use this, and the ideal would be two or more factors where none is a password.

Once again, I recommend reading the WebAuthn spec, or at least one of the blog posts about it.

Green Gecko wrote:It's relatively easy to combine a cipher with long, memorable and unique phrases to create a password that is both strong and memorable.

Obviously password managers are easier. The trouble they are putting all your eggs in one basket. If that memory is read or someone does something as simple as watch or record you, they have access to everything if they can also obtain the database (that part should actually be more difficult).

2 factor is very good.

The managers are encrypted unless you use a gooseberry fool one, and for many like lastpass the password is never seen, you don't show the password and copy and paste it, they auto fill your password fairless using a browser plugin that doesn't use your clipboard so recording or viewing does nothing.

If you are using a manager where you have to show the password then copy and paste it or type it in while you see it your manager is gooseberry fool and should be gotten rid of.

I always use 2FA where available and have that enabled on my lastpass to boost security of that as well as everything else.

Earfolds wrote:

OrangeRakoon wrote:100% passwords are better than biometrics as an authentication method for those reasons - biometrics are not hidden and cannot be changed. Biometrics are good in combination with a password as a proof of identity. You should always combine something you are with something you know if you want to be secure.

Plus I'd rather not make my fingers a valuable target for criminals to cut off.

I mean, you're wrong, on multiple counts actually, but it's nice that you believe this so passionately.

2FA is correct, though; you should always use this, and the ideal would be two or more factors where none is a password.

Once again, I recommend reading the WebAuthn spec, or at least one of the blog posts about it.

In what ways am I wrong? Are biometrics changeable? Are they hidden? "You're wrong" isn't much of a convincing argument.

Also, what is your concern with passwords when they are long and complex?

OrangeRakoon wrote:In what ways am I wrong? Are biometrics changeable? Are they hidden? "You're wrong" isn't much of a convincing argument.

My apologies. I'll try to break it down.

100% passwords are better than biometrics as an authentication method

What exactly does a password authenticate? Passwords don't meaningfully authenticate anything besides the fact that you know, guessed, or stole the password. I contend that this is not meaningful when you want to prove your identity.

biometrics are not hidden and cannot be changed.

It's true that biometrics cannot be changed. In fact, they're an intrinsic part of your identity. Which makes them a great tool to authenticate your identity.

Biometrics are good in combination with a password as a proof of identity. You should always combine something you are with something you know if you want to be secure.

This is actually almost good advice, but you slipped up on the wording at the end. This comes from the general advice behind 2FA, but it's actually "combine something you know with something you have and something you are". I admit this point is more nitpicky than the others.

Plus I'd rather not make my fingers a valuable target for criminals to cut off.

Criminals will have a much tougher time cutting off your valuable fingers than they would just mining your password on their GPU or something.


And, the most important point of all:

Also, what is your concern with passwords when they are long and complex?

If you can remember your password, it's too weak.

If you genuinely have unique, unrelated, and human-made passwords of at least 16 characters for every website you visit, and you can remember them all, you are either lying to me, or don't visit many websites.

If you're advocating for the continued use of passwords, you either don't know anything about data security, or you have an ulterior motive.

By all means continue to use a password as one of several factors in your authentication, but don't try to kid yourself; your password is the weakest point in your account security.

I apologise for being so curt with you last time. Hopefully I've made myself clear here.

Earfolds wrote:

biometrics are not hidden and cannot be changed.

It's true that biometrics cannot be changed. In fact, they're an intrinsic part of your identity. Which makes them a great tool to authenticate your identity.

The key point is that biometrics can be duplicated. You haven't addressed that biometric data is also not secret. We leave our fingerprints all over the place, often on the very devices you may use fingerprint authentication on. Facial recognition can be spoofed with photographs. Many people's biometric data is already kept by sources other than themselves, for example with police keeping fingerprint records. Once biometric data becomes compromised, the fact you can't change your biometrics means that you're compromised for good.

Preventing the duplication of biometric data is a constantly escalating arms race. Facial recognition being spoofed may lead to depth measurement, which in turn can be spoofed with 3D models. Fingerprint spoofing has already led to pulse detection being quite common, but again that can be duplicated. No matter what you do to try and ensure the validity of your biometric data, it can and will be possible to duplicate it.

In contrast, if a password becomes compromised you can change it. The same applies of course to public keys or physical tokens.

Being able to change your credentials in the event that they become compromised should be an obvious requirement for any good method of authentication.

Earfolds wrote:

Biometrics are good in combination with a password as a proof of identity. You should always combine something you are with something you know if you want to be secure.

This is actually almost good advice, but you slipped up on the wording at the end. This comes from the general advice behind 2FA, but it's actually "combine something you know with something you have and something you are". I admit this point is more nitpicky than the others.

I don't disagree with you - my point was that I would never want to use biometric data as the sole method of authentication. I wouldn't say I slipped up!

Earfolds wrote:

Plus I'd rather not make my fingers a valuable target for criminals to cut off.

Criminals will have a much tougher time cutting off your valuable fingers than they would just mining your password on their GPU or something.

Cutting off fingers is really quite easy, if you weren't aware!

But yes I think you're alluding to cutting off fingers being a clearly targeted attack with limitations of physical location, whereas passwords can be (and are) brute forced without such specific targeting.

The argument here is more that if I am targeted specifically, I'd much rather just tell the scary bad people my password and lose all my money than tell the scary bad people my password, lose all my money and lose a finger.

To come back to the weakness of passwords to brute forcing, which I think is a separate argument, if your password is sufficiently long and complex and rotated then the probability of your password being guessed in the limited number of attempts the attacker has becomes so low that this isn't an issue. Websites should mitigate against non-distributed brute force attempts by limiting login attempts, and similar mitigations exist for different scenarios like device passwords.

Earfolds wrote:And, the most important point of all:

Also, what is your concern with passwords when they are long and complex?

If you can remember your password, it's too weak.

If you genuinely have unique, unrelated, and human-made passwords of at least 16 characters for every website you visit, and you can remember them all, you are either lying to me, or don't visit many websites.

If you're advocating for the continued use of passwords, you either don't know anything about data security, or you have an ulterior motive.

I asked what your concern with long and complex passwords is, and your response is that passwords probably aren't long and complex? A fair concern (demonstrably many people don't have sufficiently long and complex passwords), but in the case where they are (lets say over 16 characters for the sake of argument, as you suggested it), do you think they are still not fit for purpose? I think they very much are.

In summary, is MFA better than single factor password authentication? Yes.

Are passwords unfit for purpose? No, provided you use them right.

OrangeRakoon wrote:Being able to change your credentials in the event that they become compromised should be an obvious requirement for any good method of authentication.

If your identity has been stolen, I don't think your ability to log into Facebook is going to be at the top of your agenda.

OrangeRakoon wrote:I don't disagree with you - my point was that I would never want to use biometric data as the sole method of authentication. I wouldn't say I slipped up!

Why are you making this point?

OrangeRakoon wrote:The argument here is more that if I am targeted specifically, I'd much rather just tell the scary bad people my password and lose all my money than tell the scary bad people my password, lose all my money and lose a finger.

If this is what you really imagine when you think of cyber attackers, you haven't been keeping up.

OrangeRakoon wrote:Are passwords unfit for purpose? No, provided you use them right.

I'm just glad the rest of the industry disagrees with you.

I really think it's a good idea if you read the spec behind WebAuthn before continuing this argument.