|
TOTP and hardware 2FA is still a technological barrier for some folks, especially older ones who may be tied to older hardware that doesn't support those methods. SMS being the lowest common denominator where almost everyone has the ability to use it shouldn't be sneered at just because SIM swapping is a thing.
|
# ? Feb 18, 2023 20:19 |
|
|
# ? May 17, 2024 13:37 |
|
Blinkz0rz posted:TOTP and hardware 2FA is still a technological barrier for some folks, especially older ones who may be tied to older hardware that doesn't support those methods. Yeah, at the end of the day, risky or not SMS 2FA is better than no 2FA at all.
|
# ? Feb 18, 2023 20:30 |
|
CommieGIR posted:Yeah, at the end of the day, risky or not SMS 2FA is better than no 2FA at all. Unless the presence of 2FA lets the bank/etc push more liability onto the customer. That happened at one point in Canada with chip-and-PIN bank cards: the bank claimed there was no way to use it without having been given the PIN voluntarily, and tried to stick a customer with some fraud. IIRC they relented in the end, at least.
|
# ? Feb 18, 2023 20:36 |
|
When I got my first online banking account around the turn of the millenium it came with a credit card sized paper OTP sheet. That was pretty much the only option with online banking. Some bank may have had an alternative method, but all required 2FA. A lot of elderly have learned to use the OTP sheets over the years.
|
# ? Feb 18, 2023 20:52 |
|
Rescue Toaster posted:When do you suppose a single bank or medical system will learn that non-SMS MFA exists? Every bank in Europe need app-based TOTP per PSD2, most of them use their home banking app as authenticator.
|
# ? Feb 18, 2023 21:06 |
|
Saukkis posted:When I got my first online banking account around the turn of the millenium it came with a credit card sized paper OTP sheet. That was pretty much the only option with online banking. Some bank may have had an alternative method, but all required 2FA. A lot of elderly have learned to use the OTP sheets over the years. IIRC ING Direct just had some lovely 4 digit PIN that you had to click on with a mouse back in 2007, no MFA at all
|
# ? Feb 18, 2023 21:28 |
|
Inept posted:IIRC ING Direct just had some lovely 4 digit PIN that you had to click on with a mouse back in 2007, no MFA at all ING first "banking" services were counted as investments so the banking regulations (access security included) didn't cover them fully. The plastic badge with a series of three numbers was the standard practice until PSD1 in 2010s.
|
# ? Feb 18, 2023 21:40 |
|
Inept posted:IIRC ING Direct just had some lovely 4 digit PIN that you had to click on with a mouse back in 2007, no MFA at all Also they had a fairly progressive "passphrase as login name" of somes sort. Definitely an effort to decontextualize the username. Of course capital one nixed all those things for bog standard logins over the years. I really do miss the innovativeness of ING.
|
# ? Feb 18, 2023 22:13 |
|
I just found out about this 'orion' browser and a safari-based browser with ubo on my macbook sounds ideal to me. I don't know enough about browsers to know whether it's like edge / brave that are 'chromium based' and have the foundational security maintained by google, but apple in this case, or whether whatever they had to do to get it to accept webextensions would make it sketchy to use given it's developed by a 'fed by 2 pizza size' team. Anyone have any thoughts?
|
# ? Feb 19, 2023 13:07 |
zhar posted:I just found out about this 'orion' browser and a safari-based browser with ubo on my macbook sounds ideal to me. I don't know enough about browsers to know whether it's like edge / brave that are 'chromium based' and have the foundational security maintained by google, but apple in this case, or whether whatever they had to do to get it to accept webextensions would make it sketchy to use given it's developed by a 'fed by 2 pizza size' team. Anyone have any thoughts? More worrying is that the founder is 1) obsessed with startup culture (4 companies in 15 years) and 2) obsessed with predictive algorithms.
|
|
# ? Feb 19, 2023 14:01 |
|
4 companies in 15 year is long tech tenure!
|
# ? Feb 19, 2023 17:35 |
|
BlankSystemDaemon posted:Well, since Google will be dropping WebRequests from the V3 Manifest, which is what's being used to do effective ad-blocking in anything based on WebKit, I have my doubts that a company that's also launching a "premium" search engine in the year 2023 will also be able to properly maintain a fork that somehow does all that's promised without walking it back later (see: Alphabet). WebKit and chromium have nothing to do with each other now
|
# ? Feb 19, 2023 18:29 |
Buff Hardback posted:WebKit and chromium have nothing to do with each other now
|
|
# ? Feb 19, 2023 19:53 |
|
Rescue Toaster posted:When do you suppose a single bank or medical system will learn that non-SMS MFA exists? Every one of the medical offices I visit as a patient forces staff push MFA with DUO or the Epic auth app, I'm wondering what's different about our experience there
|
# ? Feb 19, 2023 19:59 |
|
Potato Salad posted:Every one of the medical offices I visit as a patient forces staff push MFA with DUO or the Epic auth app, I'm wondering what's different about our experience there staff facing internal implementation is an order of magnitude easier than any client facing implementation
|
# ? Feb 19, 2023 20:01 |
|
BlankSystemDaemon posted:Sure, except for all the code (im)ported from Chromium and the fact that they (Blink and WebKit) share a rather recent common ancestor. Yeah but Google’s not doing anything with extension capabilities in Safari, right? (the extension manifest stuff is mostly browser-level rather than renderer-level, and I think even some Chromium derivatives are going to keep support for v2)
|
# ? Feb 19, 2023 20:04 |
|
The Fool posted:staff facing internal implementation is an order of magnitude easier than any client facing implementation ah, I misunderstood the post and didn't realize it was talking about clientele
|
# ? Feb 19, 2023 20:07 |
Subjunctive posted:Yeah but Google’s not doing anything with extension capabilities in Safari, right? (the extension manifest stuff is mostly browser-level rather than renderer-level, and I think even some Chromium derivatives are going to keep support for v2) I'd hope they do both, for the sake of their users - but don't know any of their plans, if they have any.
|
|
# ? Feb 19, 2023 20:44 |
|
Has Microsoft said anything about re-implementing the functionality Google is dropping? If not I’ll be 100% Firefox overnight.
|
# ? Feb 19, 2023 20:57 |
Shumagorath posted:Has Microsoft said anything about re-implementing the functionality Google is dropping? If not I’ll be 100% Firefox overnight.
|
|
# ? Feb 19, 2023 21:12 |
|
BlankSystemDaemon posted:Well, since Google will be dropping WebRequests from the V3 Manifest, which is what's being used to do effective ad-blocking in anything based on WebKit, I have my doubts that a company that's also launching a "premium" search engine in the year 2023 will also be able to properly maintain a fork that somehow does all that's promised without walking it back later (see: Alphabet). they seem to use some custom implementation for extensions, you can apparently use firefox or chrome extensions with it, I don't know how hard it would be to maintain when google drops support in their browser though. from looks of things the founder is some archetypal hacker news type, although I doubt the company is doing anything deliberately untoward (one of their main selling points is lack of phoning home, and it would be trivial to see if it started). future aside assuming that's true is the browser aok to use right now from a security standpoint? I currently use firefox the main benefit I want is tuned battery perf from the safari part alongside ublock zhar fucked around with this message at 22:30 on Feb 19, 2023 |
# ? Feb 19, 2023 22:27 |
|
Shumagorath posted:Has Microsoft said anything about re-implementing the functionality Google is dropping? If not I’ll be 100% Firefox overnight. Edge is definitely going along with Google. The holdouts that will still have good adblock will be Firefox, Vivaldi, Brave, and Opera. (With the last 3 being somewhat dependent on maintaining manifest V2 in chromium themselves, potentially at the mercy of google making that job intentionally harder with upstream changes.) edit: zhar posted:future aside assuming that's true is the browser aok to use right now from a security standpoint? as a home user probably you're ok -- the drawback of being slower to get patches than normal Safari is probably offset by better adblock as a business CYA probably no Klyith fucked around with this message at 01:36 on Feb 20, 2023 |
# ? Feb 20, 2023 01:30 |
|
I kept forgetting about that manifest change but it's going to gently caress over almost ten years of my browsing model - Edge with uBlock for stuff I trust, Firefox with uMatrix for stuff I don't.
|
# ? Feb 21, 2023 01:20 |
|
They don't have to keep all of v2 around, they can port the filtering callback to v3.
|
# ? Feb 21, 2023 04:00 |
|
Klyith posted:at the mercy of google making that job intentionally harder with upstream changes.) Literally every market leader in browsers has actively and maliciously hosed with competition via incompatible edits to 1st party sites. So there is no 'possibly'. It'll happen, and we'll end up deciding that youtube is best played via mpc-hc and yt-dl.exe instead of some amalgamation of ads shaped roughly like a browser window.
|
# ? Feb 21, 2023 04:53 |
|
I can’t believe how much the DoJ has weakened since the 90’s / 00’s such that Alphabet isn’t getting busted up for controlling the #1 browser, ad business, search, and video site. It’s just so utterly poisonous; all four of those products are demonstrably worse for it, and the synergy between two of them is actively pushing society off a cliff only slightly less energetically than Facebook.
|
# ? Feb 21, 2023 05:07 |
|
Remember when we sued Micro$oft for putting Explorer everywhere? Those were good times... https://www.youtube.com/watch?v=H27rfr59RiE
|
# ? Feb 21, 2023 05:54 |
|
Shumagorath posted:I can’t believe how much the DoJ has weakened since the 90’s / 00’s such that Alphabet isn’t getting busted up for controlling the #1 browser, ad business, search, and video site. It’s just so utterly poisonous; all four of those products are demonstrably worse for it, and the synergy between two of them is actively pushing society off a cliff only slightly less energetically than Facebook. The bad old days before Citizens United, wherein a corporate citizen can spend arbitrary
|
# ? Feb 21, 2023 07:47 |
|
https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/ Holy Hell.
|
# ? Feb 28, 2023 03:57 |
|
So was LastPass not issuing corporate hardware and just having people use their personal computers to work from home - or were they letting people install Plex on their corporate machines?
|
# ? Feb 28, 2023 04:03 |
|
bull3964 posted:https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/ Wow.
|
# ? Feb 28, 2023 04:16 |
|
Whats the recommended alternative to Lastpass for personal passwords? Or are there multiple options?
|
# ? Feb 28, 2023 04:42 |
|
I switched to 1Password and it’s a definite improvement in every regard except when it saves passwords (pre-submission).
|
# ? Feb 28, 2023 04:45 |
|
Dandywalken posted:Whats the recommended alternative to Lastpass for personal passwords? Or are there multiple options? 1Password if you can afford $3 per month and want to be done with this poo poo forever. Bitwarden if you want something free. Keepass if you are a huge nerd and want to janitor your own software. Apple keychain if you are fully inside the apple ecosystem and don't need compatibility.
|
# ? Feb 28, 2023 04:58 |
|
Having just moved my dad out of Apple keychain into 1Password: Do not use Apple keychain unless you want to be forever chained to iCarumba, The Worst Cloud. Exporting was entirely by hand and took me ~30min for 40 passwords.
|
# ? Feb 28, 2023 05:01 |
|
Klyith posted:1Password if you can afford $3 per month and want to be done with this poo poo forever. This should probably just be in the OP at this point.
|
# ? Feb 28, 2023 05:18 |
|
And if you work in infosec and can't afford $3/month: huh?? (Also just get your work to adopt it and bum a free family subscription off them.)
|
# ? Feb 28, 2023 07:00 |
|
Did I read that correctly that AWS proactively notified LastPass before LastPass realized they had a problem? I'd like to believe that LastPass had active IAM monitoring and that's what triggered the notification from AWS. Employees install not-work-things on work machines all the time, and it's not necessarily awful for most threat models. But if you have access to master encryption keys and your business is securing passwords for millions of people, that is a terrible threat model assessment. You shouldn't even be using the same USB keyboard for work as you do for not-work.
|
# ? Feb 28, 2023 14:20 |
|
Klyith posted:1Password if you can afford $3 per month and want to be done with this poo poo forever. Thanks for this, was just about to ask the same question. Really should have ditched LastPass two security breaches ago. I do have another question though. There are a ton of sites in my vault with stored logins that I haven't visited in years and will likely never use again. What's the best practices for cleaning that poo poo up? Am I safe just deleting them from my vault and forgetting they exist? Do I need to hit each site and try to delete accounts?
|
# ? Feb 28, 2023 15:24 |
|
|
# ? May 17, 2024 13:37 |
|
Enos Cabell posted:I do have another question though. There are a ton of sites in my vault with stored logins that I haven't visited in years and will likely never use again. What's the best practices for cleaning that poo poo up? Am I safe just deleting them from my vault and forgetting they exist? Do I need to hit each site and try to delete accounts? In terms of security I don't think it matters. Nobody's gonna use your planetquake account from 2002 to gain access to anything else. The thing that might be dangerous is old email accounts, but it's probably better to keep the keys to those rather than delete them. General junk websites, maybe there's a privacy / data collection benefit to deleting the accounts? Especially if they're big enough to care about EU GDPR and so actually delete the data. But it also sounds like a lot of effort. Personally I would just forget about them. In ten years when the AI uses my planetquake account from 2002 as the final piece of the perfect model of my brain to sell me a new TV, I guess I'll buy a lot of TVs.
|
# ? Feb 28, 2023 16:43 |