this post was submitted on 16 Sep 2024
228 points (98.7% liked)
Technology
59982 readers
2628 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
What an absolute failure of the legal system to understand the issue at hand and appropriately assign liability.
Here's an article with more context, but tl;dr the "hackers" used credential stuffing, meaning that they used username and password combos that were breached from other sites. The users were reusing weak password combinations and 23andme only had visibility into legitimate login attempts with accurate username and password combos.
Arguably 23andme should not have built out their internal data sharing service quite so broadly, but presumably many users are looking to find long lost relatives, so I understand the rationale for it.
Thus continues the long, sorrowful, swan song of the password.
passwords were maybe the dumbest idea ever invented
What is your suggestion for a superior solution to the problems passwords solve?
Passkeys are becoming the industry standard. They are better in nearly every way, but would not have been possible before smartphones.
They are unique for each site, not breachable without also having a users device, not phishable, and can't be weak by design.
Agree that passkeys are the direction we seem to be headed, much to my chagrin.
I agree with the technical advantages. Where passkeys make me uneasy is when considering their disadvantages, which I see primarily as:
There's no silver bullet for the authentication problem, and I don't think the passkey is an exception. What the passkey does provide is relief from credential stuffing, and I'm certain that consumer-facing websites see that as a massive advantage so I expect that eventually passwords will be relegated to the tomes of history, though it will likely be quite a slow process.
And if you lose your device, get fucked forever!
Passkeys are passwords but worse.
Nope. The private key can be backed up, stored in an online password vault, copied automatically to other devices, whatever.
There are good and simple answers to this issue.
No.
Most people will store in their ecosystem (Microsoft or Apple). Lose your device, recover via logging back into your service. That effectively means that logging in to your ecosystem is your “one password”. Of course you can shield that login with a passkey that sits in another instantiation of your account (laptop, home PC).
The nerds will use a platform-neutral password manager (last pass, 1Password) etc. That is likely to either be protected by a strong password AND a recovery key (to print on paper) OR a passkey stored in your platform ecosystem.
Personally I’m in 1Password, using a very long passphrase and a recovery key (two print outs, kept in two different locations).
If you ONLY use one device to enter your ecosystem you do have some risk if it is passkey secured. The end of the chain ought to be a highly secure password that you never reuse anywhere else (your “one” password). Best to go completely random and write it down on paper.
But the risk of never being able to access your ecosystem are really quite low.
You'll own nothing and be happy!
Yeah it’s not for me but that’s a different point to “will they be locked out of their passkey storage”.
It's directly related. If it's in Apple's system... or M$'s systems... They get to control your passkeys (not you). Including arbitrarily locking you out for whatever reason they want. Including "oops our datacenter died". Hell... case and point. I bought new pixel phones (GrapheneOS), Google store didn't charge my card at all, a card that's been associated with my account for at least 10 years now, they marked it as "Suspicious" and locked my entire google account. Talking to support... None of them can even see that my account is locked.
This is what "normal" people will get shoved into. This is not a win for any consumer. It's a win for corporations. They get to see each request you make and use that metadata for themselves.
I'm fine with that as long as it works without my phone, internet or power.
So, a contactless smartcard
What are you signing into where you need a password but don't have internet?
digital wallet?
Lan server, air gapped
We'll its a private key, so just a few kb of data. You can likely put it on all sorts of devices. Most services that use it will require some of the above, so I doubt the usefulness, but the same goes for most passwords.
Im curious how you access your passwords with the above criteria. Are you using a notepad with dozens/hundreds of unique passwords, some kind of dice based randomizer, or just a few passwords for many sites?