Is the era of passwords coming to an end?

[jagdtigger]

4 hours ago, Kisai said:

And again, people reuse passwords because they can not be bothered to create 300 different password

Yeah because password managers arent a thing.....

[Kisai]

9 hours ago, StDragon said:

 

iOS as a platform has gotten way too complex compared to when it was released over 15 years go! In fact, there's been recent news about how Gen-Z and Millennials are considering go back to "dumb phones"

 

I think a lot of us wish we could go back to how cell phones used to be like, where it was a phone+SMS device primarily, and the camera functionality was just a convenience feature.

 

We probably aren't ever going to see this happen because even though we are calling those dumb phones, they never were. Old Nokia phones ran an entire OS, Blackberries ran an entire OS, and so forth. Just a lot of the functionality was intentionally hidden and customized per-device.

 

Now perhaps there is a real market for a iOS/Android device that simply strips the "apps" and "internet" from the device as a general design philosophy where it has a 3" screen and only has Phone/SMS/GPS/camera built-in features, and no apps can be installed to it, and the SoC inside it is toned down to be 105% the capability needed to run just those four apps. But you'd lose all the other features.

 

Like when I hear bout all these obnoxious people wanting side-loading on iOS I'm just like, "these people are not the target customer", and we're going to see the same people ruin "dumbphones" again with their demands.

[Kisai]

8 hours ago, jagdtigger said:

Yeah because password managers arent a thing.....

Once again. Why do I need to make an account for everything? Why do I need an nvidia account to download driver updates? Why do I need a razer account to even use a razor mouse? 

 

I kid you not, there is no functionality that nvidia needs to hide behind an online account, and neither does razor or asus. Yet they absolutely nag you to sign in, and every time I do, I just reset the password, and it's gone until the next time the a clean install of that hardware driver is needed.

 

It's come to a point where, if a site doesn't show me the content (like newspaper/magazine contents) I just click off. Screw these sites that want you to create an account/subscribe just to see their ad-riddled swiss-cheese of a site.

[jagdtigger]

7 hours ago, Kisai said:

Once again. Why do I need to make an account for everything?

Because if you have one central thing, like an SSO every hacker on the planet will attack it non-stop. And that thing getting boned is not a matter of "if" but "when". And when it happens they are in like flinn into everything you registered to. They could wreck your online, or id go as far as they could even wreck your real life by posing as you and doing sone A grade excrement posting........

[CaptainDarkstar42]

On 5/13/2023 at 2:12 AM, AI_Must_Di3 said:

Nope. The only way to get some security is multi-disciplined authorization, where you combine different tech in a layering effect. The problem now is most people use one small password, over multiple accounts and thats it, they dont use the 2fa even. Bigger problem number two is people using smartphones with confidential info, accounts etc... Your phone is for phone,text general surfing with no logging in. If you use it that way with a fake account attached you wont lose anything of value. Either get savvy or get pwned, take your pick.

That is such an unrealistic take.  That isn't going to happen and most people use their phones for so much more.  So, we need better solutions then to not use your smartphone at all.  Passwords and 2FA work fine.  Passkeys make me nervous because you would always have to have it with you. 

[CaptainDarkstar42]

11 hours ago, Kisai said:

I think a lot of us wish we could go back to how cell phones used to be like, where it was a phone+SMS device primarily, and the camera functionality was just a convenience feature.

I don't ever want a dumb phone.  I love my smartphone.  It is amazing.  I love having all of this power in my pocket. 

 

11 hours ago, Kisai said:

Now perhaps there is a real market for a iOS/Android device that simply strips the "apps" and "internet" from the device as a general design philosophy where it has a 3" screen and only has Phone/SMS/GPS/camera built-in features, and no apps can be installed to it, and the SoC inside it is toned down to be 105% the capability needed to run just those four apps. But you'd lose all the other features.

 

Like when I hear bout all these obnoxious people wanting side-loading on iOS I'm just like, "these people are not the target customer", and we're going to see the same people ruin "dumbphones" again with their demands.

Which is why I will never buy a device with iOS on it.  I like having the freedom to use apps that Apple may not want me to use.  Like emulators, for example

[Kisai]

3 hours ago, jagdtigger said:

Because if you have one central thing, like an SSO every hacker on the planet will attack it non-stop. And that thing getting boned is not a matter of "if" but "when". And when it happens they are in like flinn into everything you registered to. They could wreck your online, or id go as far as they could even wreck your real life by posing as you and doing sone A grade excrement posting........

And... a password manager solves this how? if the "hacker" gets your password manager login?

[mecarry30]

21 hours ago, StDragon said:

The Internet has always been a mental arms-race between criminals (hacking, social engineering, etc) and the solutions needed to protect users. It's only going to get exponentially worse with AI that can crack code, bot generate SPAM, call users phone numbers and engage in voice chat, and with greater compute cycles, brute-force crack PWs.
 

 

iOS as a platform has gotten way too complex compared to when it was released over 15 years go! In fact, there's been recent news about how Gen-Z and Millennials are considering go back to "dumb phones"

 

Do you really think Grandma wants to use an Apple iOS device and all the complexities that go with it? It's a deep and complicated platform, no joke about that.

In fact, I think there will be a tipping point where there will be a renaissance in modern "dumb phones" that run the latest slimmed down Android and iOS platform, and they will sell like hotcakes for their styles, ease of use, and low cost. It's a snowball on top of a mountain, and all it takes is the slightest breeze to push down and start the ball rolling. Think about it, there's the boomers whom have retired and aren't getting any younger. They will spend for a simpler lifestyle that can offer and maintain security.

It's funny that you say this, cause Apple just announced a dumbed down version of iOS.https://www.apple.com/newsroom/2023/05/apple-previews-live-speech-personal-voice-and-more-new-accessibility-features/

[Brooksie359]

On 5/12/2023 at 2:04 AM, jagdtigger said:

Biometrics that consumers can afford are just as bad or even worse than passwords...

You mean current biometrics that consumers can afford are just as bad. Technology gets better and we might get to a point where consumer grade biometrics are much better than passwords. I wouldn't be surprised if we mostly move to biometrics in the future. 

[Senzelian]

I can probably clear up a lot of the confusion around passkeys. But first of all: Google's passkeys don't work.

I don't mean that they're not useful, I mean that they literally don't work. They're buggy. (More on that later)

 

Passkeys are designed to let you sign into an account securely without the need for a password. This does not mean that you do not need any other type of authentication. Instead you can use biometrics, but you're not limited to them. PINs for example can also work and are already implemented into Google passkeys as part of Windows Hello.

 

To use passkeys you need to activate the feature. They are not automatically activated. Once they are you can log into your Google account and you will be asked to use a passkey to login. The passkey does not need to be stored on the device that you're currently using to login. You can also use a passkey stored on your phone to login on a Windows device for example.

 

If you do not have a passkey, you can choose to login with your password or any other 2FA method that previously also worked. This is still needed to set up new passkeys for each device! Passwords won't go away! After the first login you can now setup a passkey for your device, which you can then use to login from now on. During the setup you're telling the passkey which other authentication method to use for it. So for example I could say I want to use my Windows Hello PIN for this specific passkey.

 

And now in theory I should be able to login with a passkey. The issue is, that this does not work, which is what I mentioned earlier. Here's why:

When you're trying to login with a passkey you will be prompted to use the aforementioned authentication method you've setup. This is what happens for each authentication method:

 

• Windows Hello PIN: The PIN unlocks the passkey, and you will be asked for your password afterwards.
• Windows Hello Face/Fingerprint: Nothing happens, Windows spits out an error.
• Android Fingerprint: The fingerprint unlocks the passkey, and you will be asked for your password afterwards.

So passkeys are basically useless right now. I have tested this on multiple devices, running Win 10, Win 11, Android 14 beta and Android 13, and on none of these devices passkeys make any sense, because you're either asked for the password or the system glitches out and refuses to unlock the passkey.

 

 

On 5/11/2023 at 1:13 PM, porina said:

Is this much different that the various log in with existing Google/Facebook/Twitter/Apple/etc. account things? You still need the account, and that account would likely have a password as part of it.

Yes you do still need a password for your account.

 

 

On 5/12/2023 at 9:04 AM, jagdtigger said:

Biometrics that consumers can afford are just as bad or even worse than passwords...

Depends on each individual password. Are biometrics better than password123? Yeah probably.
Are they better than IjosdOIJO(()8238(882832((")3288)$="=)939200KdnjoajdsAJ"(( ... Yeah obviously not.

 

You're generalizing it too much.

 

On 5/13/2023 at 10:14 AM, jagdtigger said:

Not to mention that someone could knock you out.....

Yeah but they could also hold you at gunpoint and tell you to give them your passwords. They could also kidnap you. That's really not a very constructive point.

 

19 hours ago, jagdtigger said:

Because if you have one central thing

You mean like the password to the mail account you used to set up all other accounts? 

 

 

 

[jagdtigger]

3 hours ago, Senzelian said:

Depends on each individual password. Are biometrics better than password123? Yeah probably.
Are they better than IjosdOIJO(()8238(882832((")3288)$="=)939200KdnjoajdsAJ"(( ... Yeah obviously not.

 

You're generalizing it too much.

Those who use simple passwords wont care if the fingerprint sensor is good or not so id say it was a fair generalization.

 

 

3 hours ago, Senzelian said:

Yeah but they could also hold you at gunpoint and tell you to give them your passwords. They could also kidnap you. That's really not a very constructive point.

Apple vs orange. Knocking out someone is very easy and generally the perpetrator wont face any charges(because authorities wont deal with minor offenses). Kidnapping/gunpoint on the other hand is a serious crime, hard to arrange, and definitely gets the authorities attention.

 

3 hours ago, Senzelian said:

You mean like the password to the mail account you used to set up all other accounts? 

Again apple vs orange again,. out of context too. Users choosing weak passwords, well that only affects them. If one of those "one login to rule them all" solutions gets boned the potential damage is several orders of magnitudes bigger than weal passwords because it  will even affect ppl who follow good security practices..... (And lets not forget what happens if someone has so much power centralized in their hands, it will be abused without fail (woke, cancel culture, etc). Plus if the service provider goes down so does your accounts.)

/EDIT
Oh and one more thing, you better prepare to pay trough the nose for this service. Talent that can notice an intrusion before it can reach its goal is hard to find and expensive.

[Brooksie359]

1 hour ago, jagdtigger said:

Those who use simple passwords wont care if the fingerprint sensor is good or not so id say it was a fair generalization.

 

 

Apple vs orange. Knocking out someone is very easy and generally the perpetrator wont face any charges(because authorities wont deal with minor offenses). Kidnapping/gunpoint on the other hand is a serious crime, hard to arrange, and definitely gets the authorities attention.

 

Again apple vs orange again,. out of context too. Users choosing weak passwords, well that only affects them. If one of those "one login to rule them all" solutions gets boned the potential damage is several orders of magnitudes bigger than weal passwords because it  will even affect ppl who follow good security practices..... (And lets not forget what happens if someone has so much power centralized in their hands, it will be abused without fail (woke, cancel culture, etc). Plus if the service provider goes down so does your accounts.)

/EDIT
Oh and one more thing, you better prepare to pay trough the nose for this service. Talent that can notice an intrusion before it can reach its goal is hard to find and expensive.

What are you even talking about? Knocking someone out is assault and isn't a minor charge and authorities will absolutely follow up on cases like that at least they have in my experience. It used to be the case where people could get away with stuff like that 40 years ago but today if you knock somebody out you are going to get charged with assault. Now convicted is a whole different story but I wouldn't like my odds if there were any witnesses or video of the incident which tbh in most places you would have one or the other or maybe you are in your house but at that point it's a breaking an entry which is even more serious of a crime. Anyways if we are talking about people doing assault I don't think it's so far fetched that someone who is willing to go that far for a password wouldn't just use a gun and force you to give up the password. 

[jagdtigger]

21 minutes ago, Brooksie359 said:

What are you even talking about? Knocking someone out is assault and isn't a minor charge and authorities will absolutely follow up on cases like that at least they have in my experience.

Nice dream world you live in. Good luck without proof and witnesses, because wont be any from either. Ppl always look the other way.

[Brooksie359]

27 minutes ago, jagdtigger said:

Nice dream world you live in. Good luck without proof and witnesses, because wont be any from either. Ppl always look the other way.

I am not sure you have ever seen or been in a situation where assault has happened because in my experience people don't just sit there and watch. People typically call the police and increasingly record the incident if possible. I am not sure where you live but I think you should have more faith in people because they tend to be more helpful in crisis situations than you would think. In my experience people called the police when the assault happened and also tried to separate the two parties. Then people gave statements to the police about what happened and I am fairly certain the person who assaulted the other person ended up doing time in prison. I don't know in what world someone would be able to knock someone out with witnesses and then use his unconscious body to log into a computer without anyone interfering or calling the police. 

[AI_Must_Di3]

On 5/16/2023 at 3:52 PM, CaptainDarkstar42 said:

That is such an unrealistic take.  That isn't going to happen and most people use their phones for so much more.  So, we need better solutions then to not use your smartphone at all.  Passwords and 2FA work fine.  Passkeys make me nervous because you would always have to have it with you. 

I'm sorry that reality offends you. If you are using a smartphone, the easiest things to hack,crack and tamper with, to do banking or any other sensitive things then the clock is ticking till you get hit,if it hasnt happened already. I didnt say dont use your smartphones, i said dont use them for sensitive accounts. The only answer at this stage of the game is multi layered security. Every version we have right now is pretty crappy by itself, but in a layered approach it makes it much more time consuming,money draining,etc... for the bad guy where its easier to move on to the guy down the street that uses his cell phone to wirelessly bank and keeps his NFC,bluetooth,wifi going all the time. Not to mention i can just stand on his porch and skim his credit cards and key fobs and garage door opener cause he doesnt put them in metal lined cases. Next time he goes out for a hour..... the guy I sold all that to is gonna stop by.

[jagdtigger]

On 5/17/2023 at 5:07 PM, Brooksie359 said:

I am not sure you have ever seen or been in a situation where assault has happened because in my experience people don't just sit there and watch

Id say thats the exception and not the norm. Whenever something happens no-one seen and/or heard anything. Ppl have enough on their hands and the last thing they want to spend time and day-off on is someone else's problem........

[Brooksie359]

Just now, jagdtigger said:

Id say thats the exception and not the norm. Whenever something happens no-one seen and/or heard anything. Ppl have enough on their hands and the last thing they want to spend time and day-off on is someone else's problem........

Let me ask you this. When was the last time you saw someone getting assaulted and people just ignored it and didn't get involved at all not even calling the police. For me I have never had that happen but I have seen multiple times where people get into fights or get assaulted and bare minimum is someone calls the police. Maybe we just live in very different places because I can't imagine people just ignoring that type.of stuff. 

[LDGrinn]

On 5/11/2023 at 11:12 AM, cheeztoshobo said:

Summary

Google recently announced a passwordless sign-in called 'passkeys'. It seems that the use of passkeys will become more widespread in the future. 

 

Quotes

 

My thoughts

Google recently announced a new initiative for passwordless sign-in.

It appears that the use of passkeys will become more widespread in the future. 
Will this lead to the complete disappearance of passwords? 
And will passkeys or other similar security login methods be more convenient than passwords?

Sources

https://thehackernews.com/2023/05/google-introduces-passwordless-secure.html

Google want to have my face and finger print? Never happened, never will.

*Applies a second tape over camera*

[StDragon]

1 hour ago, LDGrinn said:

Google want to have my face and finger print? Never happened, never will.

*Applies a second tape over camera*

Wait until you're forced to have a chip implanted in your hand.

Mark of the Beast Machine.

[jagdtigger]

https://www.bleepingcomputer.com/news/security/android-phones-are-vulnerable-to-fingerprint-brute-force-attacks/

 

"Biometrics are much safer than passwords"
Researchers: Hold my beer!

[Jaxrebel]

Intresting discussion imo, regardless what you use som other authentication is always needed whatever that may be.

 

Only using one factor to authenticate or use same password for everything is bad mojo, obvious not so easy to educate very old people but can be done.

 

 

 

[Kisai]

8 hours ago, Jaxrebel said:

Intresting discussion imo, regardless what you use som other authentication is always needed whatever that may be.

 

 

Try recovering a gmail account. It's impossible.

https://lauren.vortex.com/2023/05/17/google-account-recovery-failure-sad

 

So I decided to swap hard drives so the new PCIe 4 drive replaced the PCIe 3 one. New install of Win11. What happens?

Chrome: login... well what's the password? I don't ****ing know, I last entered apparently 1 year ago. try to recover the password, it wants to send the email to another email you have on file, and then wait 48 hours.

Discord: can't reset the password without the 2FA, can't get the 2FA because it's on another device that was last used... you guessed it, 1 year ago. Discord's policy is also "sux to be you, create a new account."

 

Every bloody app is some different hell to recover the password, and extra hell if there is 2FA on it that isn't SMS. And what if you lose your phone? well your entire life is now gone.

 

It seems the like the common refrain here is that passwords just need to die, but 2FA needs to stop being "print out a back up code" because people are not going to have these things 1 or 2 or 10 years later when they need them. 

 

[jagdtigger]

9 hours ago, Kisai said:

It seems the like the common refrain here is that passwords just need to die, but 2FA needs to stop being "print out a back up code" because people are not going to have these things 1 or 2 or 10 years later when they need them. 

So you suggest we lower security for everyone to make it easyer for illiterate people? What a great idea that difinitely wont cause major headaches down the line.... /s

[StDragon]

13 hours ago, Kisai said:

Every bloody app is some different hell to recover the password, and extra hell if there is 2FA on it that isn't SMS. And what if you lose your phone? well your entire life is now gone.

And this is why OTP based MFA'ed accounts need to also be setup with FIDO2 (physical) keys as a recovery method.

Don't trust OTP / phone app authenticators to save your ass. If the phone resets or is replaced, the attestation is lost.

Now, there are way of recovering some of those OTP registrations, but unless you know what you're doing, there's implications of ether rendering a false sense of security and/or opening that up to being exploited. So again people, backup your MFA with FIDO2 keys when given the chance.

[Kisai]

4 hours ago, jagdtigger said:

So you suggest we lower security for everyone to make it easyer for illiterate people? What a great idea that difinitely wont cause major headaches down the line.... /s

What I'm saying is the status quo is BAD, and the solutions are WORSE.

 

Here's an analogy to explain the problem since you don't seem to care:

Imagine going to a bank, depositing your life savings in it, then an hour later you get mugged on the street and your phone and wallet are taken.

 

So... How do you get new ID now? Hmm. How do you prove who you are with no ID? I don't know how many people have actually tried to do this. But it typically requires starting at the DMV to get a new DL (and what if you don't drive? Then what?)

 

But they want you to pay them money to replace it. Can't because all your payment stuff is stolen. Maybe someone will take pity on you at the DMV, maybe you can beg someone at work for money, but you can't get to work because your DL has been stolen, and you can't get a transit ticket, again, because you have no money.

 

You can't walk back into the bank to the person you just deposited the money to, because you no longer have your ATM card or any ID. Sorry, just policy.

 

Meanwhile, the thief has your phone and wallet, but can't unlock the phone, and your wallet only has cards with PIN requirements. Wow, maybe a card might allow the thief to buy a hamburger if the NFC is enabled. You can't call the card company to stop the transactions because you don't know the number. But you're in the bank right now, and can tell them to stop the transactions... if you borrow their phone.

 

Maybe you can call your wireless carrier and have them report the phone as stolen. Now the SIM/eSIM is destroyed and any chance of recovering it with "Where is my phone?" app.

 

 

Tying everything to the phone is a stupid idea, and reusing passwords is stupid, but you're pretty much guaranteed to lose a lot of irreplaceable things by using passkeys or 2FA tied to a device that can be destroyed or lost.

 

The only reason I got back into my gmail or discord accounts is because the 2FA is on the phone for both of them, and the gmail accounts are perpetually logged in on the phone. You still can't change the password without knowing the existing one.

 

Anyway, I setup Passkey for gmail and now I'm just hoping that doesn't turn into an even worse hell when google inevitably wants you to use something else.