|
Buff Hardback posted:Are you sure they didn't say "trust a password manager without a browser extension"? I went back to double-check the thread and it was actually someone else who said that, though the someone else is a person who is I would consider a pretty elite security professional. He elaborated later that he meant for his own use and not as a general recommendation to the public, because he weighs the risk of browser compromise as relatively high. We were both part of a small group that was targeted with a Java-zero-day watering hole attack at a previous employer (like, our usernames were in the payload), and he’s had similar experiences in subsequent roles, so I can sort of understand the sensitivity. (I don’t share the sensitivity, myself. What are the odds of it happening twice? Same reason I always carry my own bomb on a plane.) Webauthn or passkeys or whatever kills passwords, we’re ready for you.
|
# ? Dec 30, 2022 04:07 |
|
|
# ? May 30, 2024 10:25 |
|
I feel if your browser gets owned, or the website you're on gets owned having a browser extension or not for your vault isn't gonna make your cred stash that much more safer. I'm admittedly "Not Good(tm)" at security though.
|
# ? Dec 30, 2022 04:08 |
|
In the case of total browser take over it’s going to be easier to manipulate the browser extension into invisibly giving up the whole store than it would be to do that to an external, securely-designed process. I buy that there’s meaningful depth to that defence. I’m just an idiot who is sure he’ll get phished and wants the second check of the domain not matching, so I take the extension path.
|
# ? Dec 30, 2022 04:13 |
|
I feel like the big weakness is the extension having the ability to go "hey I want the creds for this site" and getting them without any user input or confirmation from the password manager side. If the password manager itself confirmed the request by having the user interact with the notification icon (or some other UI created by the password manager itself rather than the browser), then a lot of that risk goes away, I think.
|
# ? Dec 30, 2022 04:21 |
|
Subjunctive posted:In the case of total browser take over it’s going to be easier to manipulate the browser extension into invisibly giving up the whole store than it would be to do that to an external, securely-designed process. I buy that there’s meaningful depth to that defence.
|
# ? Dec 30, 2022 04:23 |
|
like 99% of keeping yourself secure is going "im gonna gently caress this up" and treating yourself like you would your great-uncle barnaby
|
# ? Dec 30, 2022 04:24 |
|
I’m surprised that there isn’t some standard protocol for talking to a password manager in a separate process such that the browser or other app can request a credential and the manager can pop a confirmation dialog or just rate limit and yell. Similar to what iOS and I presume Android have, I guess. I wouldn’t want to be in charge of getting it standardized and adopted, though. Not it.
|
# ? Dec 30, 2022 04:31 |
|
1password's browser extension integrates with and requires the installed app's security controls, so it seems a lot safer than what others do.
|
# ? Dec 30, 2022 04:35 |
|
Yeah, I’d like to see Bitwarden do that too, but it’s a bunch of additional complexity and friction and probably support burden at least in the first few iterations, so I can understand why they didn’t start there. Is what 1Password does documented well enough that someone could use it as a starting point for other apps?
|
# ? Dec 30, 2022 04:38 |
|
Subjunctive posted:Yeah, I’d like to see Bitwarden do that too, but it’s a bunch of additional complexity and friction and probably support burden at least in the first few iterations, so I can understand why they didn’t start there. I'm going to guess no because it's a proprietary commercial product, but I will absolute promote 1password's method. It's not much of a hassle at all, autofill on mobile and desktop works great, and it's very seamless. I'm a big fan.
|
# ? Dec 30, 2022 04:42 |
|
I thought they might have done a white paper on how they integrate securely with browsers or something, but I can’t find anything. I’ll ask my contact there but he probably won’t say much.
|
# ? Dec 30, 2022 04:47 |
|
Subjunctive posted:I’m surprised that there isn’t some standard protocol for talking to a password manager in a separate process such that the browser or other app can request a credential and the manager can pop a confirmation dialog or just rate limit and yell. Similar to what iOS and I presume Android have, I guess. Chrome, Edge and Safari (not sure about Firefox) each have their own password vaults which they try to use as a carrot to get you to sign into the browser to sync that vault across multiple devices. I know Edge at least even offers to generate passwords for you if it detects you’re on a signup page. I doubt there’d be much incentive to give that up easily unless it was an OS-level integration like how iOS works, and even then I’m sure Edge and Chrome would try very hard to make you use their own vaults.
|
# ? Dec 30, 2022 08:19 |
|
Rufus Ping posted:I'd be interested to hear their reasoning because I'm not aware of any historical examples of sites being able to spoof their identity to extensions in this way.
|
# ? Dec 30, 2022 14:23 |
|
Subjunctive posted:I’m surprised that there isn’t some standard protocol for talking to a password manager in a separate process such that the browser or other app can request a credential and the manager can pop a confirmation dialog or just rate limit and yell. Similar to what iOS and I presume Android have, I guess. Safari sort of does this on ios. you can choose to fill passwords from another secure storage besides iCloud Keychain, e.g. you can fill in a password from chrome’s password store while using safari
|
# ? Dec 30, 2022 14:47 |
Rufus Ping posted:I can only assume they are afraid of a bug that allows one site to trick the extension into filling creds for another site. Copy-paste is a bad idea because JavaScript gives read-access to the clipboard unless the user toggles the option off (it's on by default). Just have the extension inject a DOM object that users can click, as well as a keyboard shortcut that triggers the same DOM object. Here's how simple it can be done:
|
|
# ? Dec 30, 2022 15:51 |
|
Wiggly Wayne DDS posted:i mean there's been a few affecting password managers. Wiggly Wayne DDS posted:like lastpass: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ same bug class as that guy in here who tried rolling his own pw manager lol (one two)
|
# ? Dec 30, 2022 17:25 |
|
Trying to get a friend to dump LastPass but they said they hated 1Password on iOS. How is Dashlane? They are thinking of it.
|
# ? Dec 31, 2022 17:47 |
|
Did they say what they didn't like about 1Password?
|
# ? Dec 31, 2022 17:50 |
|
Mostly issues with autofill, but I'll ask for more details.
|
# ? Dec 31, 2022 17:55 |
|
AutoFill on iOS is going to behave pretty much the same no matter which app you’re using because they all use the native AutoFill api
|
# ? Dec 31, 2022 18:07 |
|
more falafel please posted:"use the same password for everything but with one change to make it unique to the site, also I constantly forget them and why would anyone want to impersonate me anyway???" Reported for doxxing as I'm adding things into Bitwarden I'm creating new 16 character mixed everything passwords I swear
|
# ? Dec 31, 2022 18:09 |
|
i just tested both since I felt I should before deciding what to flee to and bitwarden seems more feature complete to me.
|
# ? Dec 31, 2022 18:13 |
|
you do have to switch off the default ios auto fill and turn on passwordmanager auto fill i think
|
# ? Dec 31, 2022 18:31 |
|
how are you guys using yubikey? I've got an nfc that's currently managing authenticator codes but feel like I could do more with it.
|
# ? Dec 31, 2022 18:33 |
|
Thanks for the tips about iOS autofill. I'll pass it along. Any thoughts on Dashlane though?
|
# ? Dec 31, 2022 18:55 |
|
Famethrowa posted:how are you guys using yubikey? I've got an nfc that's currently managing authenticator codes but feel like I could do more with it. I mostly use mine for azure ad passwordless creds, too few slots for totp registrations to be useful.
|
# ? Dec 31, 2022 19:29 |
|
Famethrowa posted:how are you guys using yubikey? I've got an nfc that's currently managing authenticator codes but feel like I could do more with it. Company uses it for most of our major sign in portals that support it.
|
# ? Dec 31, 2022 19:37 |
|
SlowBloke posted:I mostly use mine for azure ad passwordless creds, too few slots for totp registrations to be useful. Defenestrategy posted:Company uses it for most of our major sign in portals that support it. kinda what I was gathering, bummer. was hopeful for more consumer uses. company is whispering about switching SSO and allowing yubi so
|
# ? Dec 31, 2022 23:33 |
|
I don't understand the "allowing" part. Its still weird to me that most defaults don't enable fido2 or whatever, but company's not having it enabled because they fear it seems wild to me.
|
# ? Dec 31, 2022 23:49 |
|
Sickening posted:I don't understand the "allowing" part. Its still weird to me that most defaults don't enable fido2 or whatever, but company's not having it enabled because they fear it seems wild to me. Some of our branches are not allowed to use WHfB because local managers don't trust the cloud with biometric data(when the data never leaves the enrolled machines). Famethrowa posted:kinda what I was gathering, bummer. was hopeful for more consumer uses. company is whispering about switching SSO and allowing yubi so Consumer usage is pretty much dead on arrival with passkeys being widely rolled out now without the inconvenience of a extra device.
|
# ? Dec 31, 2022 23:53 |
|
Why are local managers setting corporate policy
|
# ? Jan 1, 2023 00:02 |
|
Sickening posted:I don't understand the "allowing" part. Its still weird to me that most defaults don't enable fido2 or whatever, but company's not having it enabled because they fear it seems wild to me. I suspect it's help desk, since SSO is company wide and they previously killed hardware tokens. easier to just troubleshoot everyone's mobile app issues.
|
# ? Jan 1, 2023 00:03 |
|
Famethrowa posted:I suspect it's help desk, since SSO is company wide and they previously killed hardware tokens. easier to just troubleshoot everyone's mobile app issues. I feel like the troubleshooting the mobile app overlaps won’t the fido2 stuff. Same admin activities.
|
# ? Jan 1, 2023 00:15 |
|
I wanna like yubikeys and other things like it but I bought one a few years back to play with and it was annoying as gently caress and I figured the additional security just wasn’t worth it for me. Having to futz around with a physical usb thing was just too annoying. What I’d really like is something like: 1. I go to a website and hit a keyboard shortcut or whatever to login 2. Safari pushes a notification to my Apple Watch and/or iPhone saying “hey lemme scan your face to login” and I do so 3. Tada I’m logged in Boris Galerkin fucked around with this message at 01:13 on Jan 1, 2023 |
# ? Jan 1, 2023 01:08 |
|
Thanks Ants posted:Why are local managers setting corporate policy Because central IT has the moral fortitude of a squashed snail and will cave in to any request. Boris Galerkin posted:What I’d really like is something like: Welcome to passkeys, available since last September.
|
# ? Jan 1, 2023 10:21 |
|
Thanks Ants posted:Why are local managers setting corporate policy Corporate policy requires corporate governance. But that's hard and annoying to do, so...
|
# ? Jan 1, 2023 11:45 |
|
SlowBloke posted:Because central IT has the moral fortitude of a squashed snail and will cave in to any request. How do I use them
|
# ? Jan 1, 2023 15:23 |
|
Boris Galerkin posted:How do I use them 1. Wait for more than a handful of websites to support them. 2. https://support.apple.com/guide/iphone/sign-in-with-passkeys-iphf538ea8d0/ios
|
# ? Jan 1, 2023 15:28 |
|
SlowBloke posted:Because central IT has the moral fortitude of a squashed snail and will cave in to any request. SlowBloke If Central will cave to any request... then I say bring the requests to Central. There will be nothing you can't do, probably.
|
# ? Jan 1, 2023 15:33 |
|
|
# ? May 30, 2024 10:25 |
|
Crime on a Dime posted:SlowBloke If Central will cave to any request... then I say bring the requests to Central. There will be nothing you can't do, probably. I am central and I have stopped giving any shadow of a gently caress about following any sane standard. I'll just set up stuff while knowing that it's 50/50 on being reverted in a week due to leadership being scared of looking bad. Boris Galerkin posted:How do I use them If a website supports Yubikeys, it supports passkeys. Just follow the site FIDO enroll workflow in safari and follow the onscreen instructions to add the fido data to iCloud Keystore.
|
# ? Jan 1, 2023 15:44 |