Well they should have 2fa, but yes, if that’s the case I agree with you.
Use Bitwarden or KeePass
Comment on DNA companies should receive the death penalty for getting hacked | TechCrunch
Darkassassin07@lemmy.ca 1 year ago
Maybe you shouldn’t use the same user+pass across dozens of different services then.
The data from 23 and Me was stolen using the legitimate login credentials of users acquired from an entirely different services data breach. Not via their own lax security policies.
You can’t expect a corporation to protect you from yourself. And they certainly shouldn’t be punished for your ineptitude.
Rinox@feddit.it 1 year ago
Darkassassin07@lemmy.ca 1 year ago
Unfortunately, even that’s not enough. That’s often a user choice to enable, and totp itself is a flawed system.
Really, services should be transitioning to Passkeys, however adoption of a new standard always takes time. There are not a huge number of services that have implemented them yet. [passkeys.directory](Here’s a list.)
YoorWeb@lemmy.world 1 year ago
Appoxo@lemmy.dbzer0.com 1 year ago
TOTP is better than no TOTP/2FA.
Darkassassin07@lemmy.ca 1 year ago
It sure is. My point is that users often don’t enable 2fa even when available, while those that do are still at risk anyway.
Id rather see a much less flawed system implemented, particularly for important services like ones that store your genetic code.
starman2112@sh.itjust.works 1 year ago
I don’t like passkeys. There’s the old thing about good security being the thing you have, the thing you know, and the thing you are–a key, a password, and biometrics. I don’t like keys or biometrics for anything online. Mainly because of 5th amendment issues (police can hold your finger to your phone to unlock it, but they cannot compell you to say what your password is), but also because either it’s secure more secure than using a password (if you lose the thing you have, you’re fucked) or it’s the same as using a password (if you lose the thing you have, you can enter a password to get it back).
Why can’t we just normalize memorizing complex passwords? It isn’t that hard if you dedicate some effort to it instead of lazily making it Currentmonth123!$
Rinox@feddit.it 1 year ago
Why can’t we just normalize memorizing complex passwords? It isn’t that hard if you dedicate some effort to it instead of lazily making it Currentmonth123!$
This is just a stupid take. I bet you either reuse your passwords regularly or you don’t really use the internet that much. I just looked it up and I have 270 unique logins, with as many 20 characters long passwords, with letters numbers and special characters.
Now tell me with a straight face that you think everyone can memorize that.
Darkassassin07@lemmy.ca 1 year ago
I currently have 75 different accounts stored, each with a unique 16 character randomized password. My memory cannot handle remembering each one alongside their username and which service they are used for. I don’t think it’s reasonable to expect anyone to.
You are not required the secure passkeys with biometrics, you can just use a password if you want, removing the possibility of forced unlock.
With that many logins, I use a password manager anyway. Regardless of whether I use passwords or passkeys; that is always going to be target. With passkeys, that manager+my device are only possible targets to gain access to my accounts. With passwords every service is also a target, along with every connection I make to that service.
A random example: If I login to twitter with a password using a work computer, that password is more than likely now sitting in a log file on the corporate firewall that performs https inspection. That could be used to gain access to my account later.
Replace that password with a passkey, and now there’s no ability to harvest and use login info from those logs. All they saw was the passkey challenge and response sent back/fourth with no ability to replicate it later.
While yes, you can usually recover you passkeys with a password and the appropriate access to the systems where they are backed up; the difference is very rarely using a password as a recovery code, vs using a password regularly giving much more opportunity for it to be intercepted or mishandled. The systems my password manager backs up to are also my own and not publicly accessible. (you don’t have to use google/apples managers)
Also the passwords used for account auth are stored in my password manager, where as my password managers password is only stored in my mind. One is easy to remember, 75 is a bit much…
PowerCore7@lemm.ee 1 year ago
The first link is basically an “advertisment hidden in a normal, professional-looking article”. All they’re saying is how these ways are not secure, but most importanly, how their solution is more secure, published under their own site.
When you take this into account, their claims start to break down: while yes, email and SMS MFA might be inherently less secure since the code could be transmitted via an insecure channel, saying TOTP is not not secure because “you device can be hacked” is a kinda bad take: if your device is already hacked, you’d have a much bigger problem: even if you are using security keys, the hacker would already have access to whatever service you might be trying to protect. As for the lost/stolen case mentioned in the article, if you put TOTP code in a password manager (as most would probably do if they’re doing this), that shouldn’t be a problem. The only way this would be a problem is that the TOTP secret is stored in plain text, which would be the same for any authentication methods.
Rinox@feddit.it 1 year ago
Thanks for the link, I wanted to read up on passkeys since the other day, as GitHub asked me to set one up with Bitwarden
bandario@lemmy.dbzer0.com 1 year ago
You nailed it. Users cannot be trusted to not re-use login credentials.
I know we all hate it, but proper 2-factor authentication via authenticator apps must be the default position for everything.
chatokun@lemmy.dbzer0.com 1 year ago
I work in IT and don’t want to have to use annoying long passwords, so I’ve been team mfa for at least a decade now. I had physical code devices for SWOTR and FFXIV until I got a software one for the latter. I don’t play the former much but I still have a working physical key somewhere.
In fact, I’m more annoyed when a service still uses texting your phone and no option to use a mfa app.
spudwart@spudwart.com 1 year ago
Legit have had conversations with people where they position themselves as superior because they use “the same password” but with an @ instead of an a, or an extra 0 at the end.
Password Managers are really the best solution to using 1 password everywhere without actually putting yourself at risk. 1 password, to unlock the manager, that lets you copy/paste logins.
But nope 99% of all bullshit I experience in my friends and family is “but thats too complicated” or “thats too hard” when its 200% fucking not.
I’m calling them out. These are shit excuses for what their real issue is which is “i don’t wanna change my habits” which is just childish and ignorant.
Even if its easier, even if its safer. If its different, then they don’t want to even try it.
There are some people who will have “always used” a spoon to dig holes, and if you showed them a shovel, they’d complain that it’s too hard or too complex, and go back to using the spoon.