Apple Announces Decision to Ditch Passwords
Chitchat
14
Posts
2
Posters
2.3k
Views
1
Watching
-
@crazycells good call with the password manager. I use Bitwarden myself for personal and family usage, and Dashlane for work. I’ve been experimenting with Bitwarden and it’s 2fa capabilities and I have to admit it’s impressive - so much so that I’m considering using this as a drop in replacement for Authy which I’ve been using for years.
@phenomlab said in Apple Announces Decision to Ditch Passwords:
@crazycells good call with the password manager. I use Bitwarden myself for personal and family usage, and Dashlane for work. I’ve been experimenting with Bitwarden and it’s 2fa capabilities and I have to admit it’s impressive - so much so that I’m considering using this as a drop in replacement for Authy which I’ve been using for years.
Yeah, I, too, prefer password managers filling 2FAs rather than me checking from an app on the phone. That is why I ditched Authy for this very reason
-
@phenomlab said in Apple Announces Decision to Ditch Passwords:
@crazycells good call with the password manager. I use Bitwarden myself for personal and family usage, and Dashlane for work. I’ve been experimenting with Bitwarden and it’s 2fa capabilities and I have to admit it’s impressive - so much so that I’m considering using this as a drop in replacement for Authy which I’ve been using for years.
Yeah, I, too, prefer password managers filling 2FAs rather than me checking from an app on the phone. That is why I ditched Authy for this very reason
@crazycells I suppose the only issue which immediately springs to mind here is that if the password manager becomes compromised - for example, if your master password is inadvertently leaked, then an attacker has both the password, and the TOTP code.
This might not sit well with the more paranoid users, but be perfectly acceptable and convenient for the less discerning ones.
Food for thought.
Fractional CISO & CTO | Managing Director at Phenomlab Ltd
-
@crazycells I suppose the only issue which immediately springs to mind here is that if the password manager becomes compromised - for example, if your master password is inadvertently leaked, then an attacker has both the password, and the TOTP code.
This might not sit well with the more paranoid users, but be perfectly acceptable and convenient for the less discerning ones.
Food for thought.
@phenomlab said in Apple Announces Decision to Ditch Passwords:
@crazycells I suppose the only issue which immediately springs to mind here is that if the password manager becomes compromised - for example, if your master password is inadvertently leaked, then an attacker has both the password, and the TOTP code.
This might not sit well with the more paranoid users, but be perfectly acceptable and convenient for the less discerning ones.
Food for thought.
yeah, but thanks to 1password, I am ok with this.
they have a secondary level of encryption. so even if you got my master password, it is useless without a device that I have registered. It is not enough to decrypt my account, even online. You have to enter a “secret code” to add your device to the account so that you can decrypt your passwords on that device, and this secret code is given during registration only. -
@phenomlab said in Apple Announces Decision to Ditch Passwords:
@crazycells I suppose the only issue which immediately springs to mind here is that if the password manager becomes compromised - for example, if your master password is inadvertently leaked, then an attacker has both the password, and the TOTP code.
This might not sit well with the more paranoid users, but be perfectly acceptable and convenient for the less discerning ones.
Food for thought.
yeah, but thanks to 1password, I am ok with this.
they have a secondary level of encryption. so even if you got my master password, it is useless without a device that I have registered. It is not enough to decrypt my account, even online. You have to enter a “secret code” to add your device to the account so that you can decrypt your passwords on that device, and this secret code is given during registration only.@crazycells That sounds like a solid solution.
-
Google has started to implement this several days ago , and I asked about this to @julian on NodeBB… I guess this passwordless access will be the new norm for many websites/apps…
-
Google has started to implement this several days ago , and I asked about this to @julian on NodeBB… I guess this passwordless access will be the new norm for many websites/apps…
@crazycells this is an interesting concept, and I’ve been looking at this same technology for a while now. However, I do think it has flaws in the sense that you can use multiple devices, and if one of those were stolen, that could then easily act as a gateway to gain access to your accounts via an unauthorized source.
Admittedly, you could easily prevent access by disabling that specific device, but the window of opportunity would still exist for a short period of time, and that may be long enough for any nefarious actor to compromise your accounts.
No technology is going to be absolutely perfect, and we have to accept that. However, I do think it’s going to be a while before this new method of authentication becomes mainstream.
Fractional CISO & CTO | Managing Director at Phenomlab Ltd
-
@crazycells this is an interesting concept, and I’ve been looking at this same technology for a while now. However, I do think it has flaws in the sense that you can use multiple devices, and if one of those were stolen, that could then easily act as a gateway to gain access to your accounts via an unauthorized source.
Admittedly, you could easily prevent access by disabling that specific device, but the window of opportunity would still exist for a short period of time, and that may be long enough for any nefarious actor to compromise your accounts.
No technology is going to be absolutely perfect, and we have to accept that. However, I do think it’s going to be a while before this new method of authentication becomes mainstream.
@phenomlab yes, let’s see how it will be implemented. I am curious about it.
For most people, I believe this device will be their phone. And I believe phones are quite secure since they will need a passcode to be opened anyway. And you cannot try indefinitely to find out the passcode.
-
@phenomlab yes, let’s see how it will be implemented. I am curious about it.
For most people, I believe this device will be their phone. And I believe phones are quite secure since they will need a passcode to be opened anyway. And you cannot try indefinitely to find out the passcode.
@crazycells said in Apple Announces Decision to Ditch Passwords:
And you cannot try indefinitely to find out the passcode.
That’s very true. However, as we saw with the San Bernadino shooting, the FBI did in fact manage to hack that device
https://www.theverge.com/2021/4/14/22383957/fbi-san-bernadino-iphone-hack-shooting-investigationHowever, I think your average criminal may not have the array of resources that the FBI has…
Fractional CISO & CTO | Managing Director at Phenomlab Ltd
-
@crazycells said in Apple Announces Decision to Ditch Passwords:
And you cannot try indefinitely to find out the passcode.
That’s very true. However, as we saw with the San Bernadino shooting, the FBI did in fact manage to hack that device
https://www.theverge.com/2021/4/14/22383957/fbi-san-bernadino-iphone-hack-shooting-investigationHowever, I think your average criminal may not have the array of resources that the FBI has…
@phenomlab said in Apple Announces Decision to Ditch Passwords:
However, I think your average criminal may not have the array of resources that the FBI has…
lol I hope they do not
-
@phenomlab said in Apple Announces Decision to Ditch Passwords:
However, I think your average criminal may not have the array of resources that the FBI has…
lol I hope they do not
@crazycells Who knows given today’s modern technology.
