DNA companies should receive the death penalty for getting hacked | TechCrunch::Personal data is the new gold. The recent 23andMe data breach is a stark reminder of a chilling reality – our most intimate, personal information might

  • @[email protected]
    link
    fedilink
    English
    21 year ago

    A well implemented password also cannot be stolen. Only a hash of that password.

    Presuming it was hashed before transmission which it often is not. It can still be stolen during transit, directly from the user, or from poorly implemented processing/storage practices on part of the service which you have no control over and no ability to audit. You can have all the best practices as a user, and still be screwed over by a services poor practices.

    Passkeys guarantee to reduce this to a single possible target of theft: The users device.

    You as a user have no control or even insight into how a service implements password based auth. All you can do is use a unique complex password and hope they do the right things to keep it secure. Just by using a passkey though, you can know for sure that you are in control of it being kept secure as it never leaves your possession.

    Biometric auth is only used to secure the keys on the local device, ontop of the devices own auth.

    By MFA, I was refering to all the other factors you can apply just like typical password+2fa. Email, sms, timed, physical key, etc. You have all of the same additional options ontop of replacing passwords with a more secure option. I’m not saying bio+passkey is MFA. Bio is used to access the passkey then MFA is applied to the service itself through whatever other means you’ve enabled. Hell, you can use your password as the secondary MFA option if the service has enabled that.

    • Saik0
      link
      fedilink
      English
      -11 year ago

      It can still be stolen during transit, directly from the user, or from poorly implemented processing/storage practices on part of the service which you have no control over and no ability to audit.

      All of the same concerns exist with passkeys. Worse though is that with passkeys you cannot audit yourself them at all, they’re locked away and have no ability to be viewed at all. You actually can’t tell if the passkey you “Deleted” was actually removed… Nor if a new one that you create to take it’s place is actually different than that one you just “deleted”.

      Passkeys guarantee to reduce this to a single possible target of theft: The users device.

      Which you as a user, if you implement password properly (one unique password per service) also have the same quality. Except you don’t have to rely on now a single possible target! If you steal my device, you have no hope of getting access to my accounts. Period.

      You as a user have no control or even insight into how a service implements password based auth.

      You don’t have any control over passkeys either…

      All you can do is use a unique complex password and hope they do the right things to keep it secure.

      Same as passkeys. Except now your hope is that your system AND their system keeps the passkeys properly secure.

      Just by using a passkey though, you can know for sure that you are in control of it being kept secure as it never leaves your possession.

      You actually have no idea about this… since different standards can exist at the browser or implementation level that can do whatever they want with the keys. Case and point is that Apple allows you to migrate your passkeys through iCloud. Either they’re using your private to authorize a new private key, or they’re actually physically moving your private key to a new device. In either case, that already disproves that “it never leaves your possession” since a cloud service can move it for you.

      • @[email protected]
        link
        fedilink
        English
        0
        edit-2
        1 year ago

        All of these points only apply if you don’t pick a decent password/passkey manager and just stick with whatever google/apple gives you.

        Do better.

        I can see all my Passkeys in painstaking detail and know exactly what has or has not been deleted/modified. I use my own self-hosted services for managing them between devices, so they are never stored on anything but my own hardware in my control.

        The only part that leaves my possession is the public key portion of each passkey, which honestly could be published to a list on their homepage and still remain secure.

        Here’s an example of a stored passkey, but with values redacted:

        "fido2Credentials": [ { "credentialId": "-redacted-", "keyType": "public-key", "keyAlgorithm": "ECDSA", "keyCurve": "P-256", "keyValue": "-redacted-", "rpId": "amazon.ca", "userHandle": "-redacted-", "counter": "0", "rpName": "Amazon", "userDisplayName": "-redacted-", "discoverable": "true", "creationDate": "-redacted-" } ]

        • Saik0
          link
          fedilink
          English
          0
          edit-2
          1 year ago

          All of these points only apply if you don’t pick a decent password/passkey manager and just stick with whatever google/apple gives you.

          Oh yeah? So on Android… How do you get your password manager to work for your passkey storage? Because all I see on android is NFC, USB, and “This device” (which is literally google storage, not your own app). So how do you login to any apps that you’re using passkeys on your phone?

          Do better.

          LMFAO, you’ve addressed basically nothing and assume that your answers are sufficient you can fuck right off.

          Edit: This is effectively SSL/TLS… Right? So there’s never been a successful attack on that right? Boy do I have a bridge to sell you.

          • @[email protected]
            link
            fedilink
            English
            01 year ago

            Currently I only use passkeys on desktop while I patiently wait for my password/passkey manager of choice to finish implementing passkey support on Android, just as I’m waiting for most services themselves to implement passkey support in general. It’s a relatively new and emerging technology, adoption always takes time.

            When you don’t put any thought into what you’re using and just stick with the defaults you’re given; you’re obviously not going to have an optimal experience. Hence: Do better.

            No, this is not basically TLS/SSL. TLS/SSL convinces a client to use a key they’ve just been given, via a public chain of trust that can be manipulated in many ways. This is more akin to the public key authentication of an SSH connection; where the keys are known and trusted long before the connection where they are used is established. This is then also wrapped in TLS/SSL as an additional layer. But TBH as long as you don’t pass persistent login tokens back/fourth, it could be done over plain http. (it wouldn’t secure the data then ofc, but would still securely prove your identity across that connection)

            • Saik0
              link
              fedilink
              English
              01 year ago

              When you don’t put any thought into what you’re using and just stick with the defaults you’re given; you’re obviously not going to have an optimal experience. Hence: Do better.

              And yet here we are… you can’t use it the way you want even if you wanted to. And have no guarantee that that functionality will ever be supported on your platform. Yet you’re saying “do better” when better literally cannot be done.

              via a public chain of trust

              You do not understand TLS/SSL then. Public chain of trust is not a requirement. You can import and trust whatever cert you want. And there’s been a history of attacks SPECIFICALLY doing that.

              This is then also wrapped in TLS/SSL as an additional layer.

              Which password auth is at this point on the internet as well… yet in previous posts you made it out like passwords are sent over the clear and are sniffable by the whole world.

              • @[email protected]
                link
                fedilink
                English
                01 year ago

                A new tech has not yet been adopted everywhere yet so we should abandon it entirely? That’s quite the take.

                Patience my friend. Good things come in time.

                Yes, TLS/SSL is flawed. Again: no, this is not an implementation of TLS/SSL.

                No, I’ve not implied passwords are sent over open channels. I’ve said their transmission -at all- is a bad thing (which they have to be to be used), regardless of being wrapped in TLS/SSL.

                Copy/paste from another conversation:

                A random example: If I login to twitter with a password using a work computer, that password is more than likely now sitting in a log file on the corporate firewall that performs https inspection. That could be used to gain access to my account later.

                Replace that password with a passkey, and now there’s no ability to harvest and use login info from those logs. All they saw was the passkey challenge and response sent back/fourth with no ability to replicate it later.

                (How I got the passkey onto a work computer is separate discussion, point is the example of collecting your password via a malicious network connection. This can happen in more than just a work environment)

                • Saik0
                  link
                  fedilink
                  English
                  01 year ago

                  A new tech has not yet been adopted everywhere yet so we should abandon it entirely? That’s quite the take.

                  No, it offers nothing that cannot be done with current implementations of passwords/password managers. That’s the take. You’re just obtuse and unable to answer how your precious passkeys is actually better in any form.

                  Again: no, this is not an implementation of TLS/SSL.

                  It’s literally what it is… It’s what industry experts directly call it. Public/Private keys… That’s all this is… that’s literally how TLS/SSL works.

                  I’ve said their transmission -at all- is a bad thing (which they have to be to be used)

                  They don’t… because well implemented passwords should only send hashes… Which we’ve already established that passkey implementation is also problematic. You can’t compare the worst implementation of passwords to best implementation of passkeys. That is disingenuous. Nothing about passkeys forces a website to implement things “properly”, just like they don’t have to for passwords.

                  A random example: If I login to twitter with a password using a work computer, that password is more than likely now sitting in a log file on the corporate firewall that performs https inspection. That could be used to gain access to my account later.

                  Doesn’t stop MitM, doesn’t stop corporate firewall from capturing the session cookie and utilizing that to replay access to your account. Assumes that the challenge and response are implemented so that it’s not guessable nor repeated… Keep in mind, we can hash/salt passwords in a multitude of ways, which can be used to vary the “response” of a password as well.

                  How I got the passkey onto a work computer is separate discussion, point is the example of collecting your password via a malicious network connection.

                  But it’s not. If I want to login on a work computer with a password. I can just type the damn thing in. Passkeys are simply LESS mobile… and carry more risk as you’re now authorizing a specific machine to have permissions indefinitely rather than having sessions that defacto expire and that’s it.

                  But let’s actually reign this in a bit… What are the actual beneficial claims here?

                  Do you agree that something like https://b-compservices.com/switching-from-passwords-to-passkeys/ encompasses all of it?

                  It’s a bit more tricky to attack than a password

                  Can accomplish the same thing with passwords that they claim passkey can do. Whether someone implements it that way is a different problem. But it’s possible.

                  Improves cybersecurity strategy

                  Also makes it significantly harder for companies to support users. I cannot set a passkey to a known value to let someone into their account after they lock themselves out (likely forgetting their own password).

                  Smooth user experience

                  I’ve had this with password managers for a decade… if not longer at this point. And it works on all my devices, so it’s even more smooth!

                  Every passkey is strong by default

                  See above…

                  Future-proof

                  Anyone who says this in the context of computer security is lying from the get-go.

                  Convenient to use

                  Same as “Smooth user experience”.

                  Lower long-term costs

                  Their logic here is moronic. “This includes the time IT spends dealing with the constantly changing legal requirements for password storage and password resets.” Except now people will just be locked out and fucked completely. Unless they happen to use a flawed passkey implementation that allows them to recover their shit no?

                  • @[email protected]
                    link
                    fedilink
                    English
                    01 year ago

                    Public Key Auth =/= TLS/SSL =/= Passkeys.

                    TLS/SSL is one implementation of public key authentication.

                    Passkeys is a different implementation of public key authentication.

                    That fact that there are flaws in the TLS/SSL implementation of public key authentication does not equate to those flaws being present in the Passkey implementation of public key authentication.

                    Just because a tool was used poorly once, doesn’t mean it’s always used poorly.

                    Passwords MUST be transmitted to the service in a form that the server accepts as valid, every time authentication is requested. This can be captured and re-sent in exactly the same form it was originally sent to the server. Be that plaintext, or a hash. Hashing a password is almost always done on the server side before storage, or before comparing to the stored hash. If it was done by the client, an attacker would never need to get the plaintext password, they could just resend the hash. A passwords security in transit is entirely dependent on the security of the SSL/TLS connection, which we’ve already discussed is flawed.

                    A passkey is never transmitted and thus cannot be stolen from that transmission. They are not dependent on the security of a known to be flawed network protocol.

                    Yes, there are other attack vectors which are present with both forms of authentication. Not really relevant to choosing one or the other being they are present regardless of password vs passkey.

                    Which we’ve already established that passkey implementation is also problematic.

                    The only problem we’ve established with passkeys is managing their storage and distribution between your devices. That’s a problem that’s entirely up to you as a user and which managers you choose to use. I like having detailed control over my data, so I used a self-hosted password/passkey manager. Others don’t care to go into that kind of detail and just stick with google/apple. To each their own.

                    I’m actually doing the opposite: Compairing the best password implementations with the worst passkey implementations. (regarding how the service implements auth, not how the user manages their auth info. Ie; what the user has no control over)

                    Even with the user and the service they are using doing all the right things to secure their password auth as much as possible: that password can still be stolen in a usable form either from the service itself or from the connection between the service and the user.

                    Where as a service could fuck up astronomically; http only, with public access to their user+passkey table. As long as the users own systems have not been compromised, those passkeys cannot be stolen in any useable way as the service doesn’t have them and are never sent them in any form. All you’ll get is a public key which is about as useful as a random number.

                    Passkeys move all the risk+responsibility of keeping them secure away from the service and puts it entirely in the hands of the user and the decisions they make. You no longer have to hope or even care that the service you’re connecting to is actually utilizing the best practices.

                    And yes, Passkeys are more inconvenient than a password. Using private key auth has always been more inconvenient. Doesn’t stop it being the go-to form of auth for ssh. Again, that was just an example of your password being stolen by the network you are connected to. I’m not here to discuss how to or if you should be using personal accounts on work equipment.

                    I’m also not going to discuss the merits of someone elses talking points. I didn’t even open that link.