| brolin_empey | I love these lame applications that tell the user that their password has expired and needs to be changed but happily accept the expired password as the “new” password, such as the Web site for my current (since 2018 June) credit card provider who just expired my original password. | 08:31 |
|---|---|---|
| brolin_empey | Even Windows 2000 originally did this but Microsoft may have fixed it in one of the service packs. | 08:34 |
| luke-jr | brolin_empey: is there a legit use case for expiring passwords? | 09:30 |
| sixwheeledbeast | I fail to see the point in expiring passwords. Some companies have it as a policy. People are lazy you make it harder for people that use password management and the ones that dont care generally use the same password but change the last character. | 10:47 |
| sixwheeledbeast | As much as I hate biometrics it works for people that aren't interested. | 10:49 |
| Maxdamantus | I hate that most things even use passwords. | 11:40 |
| Maxdamantus | If a system is relyping on something like email as its actual authority (eg, systems where you can reset a password as long as you have access to an email address), a password is only really a convenience feature that makes it quicker to authorise (enter a memorised password instead of go through an email validation cycle). | 11:42 |
| Maxdamantus | Most sites should either just use email validation to log in. If it's something that someone is using frequently, then allow their broswser to remember the a long-lived session cookie, otherwise if they're using it infrequently, they're going to forget their password and go through an email validation cycle anyway. | 11:45 |
| Maxdamantus | s/either // | 11:45 |
| infobot | Maxdamantus meant: Most sites should just use email validation to log in. If it's something that someone is using frequently, then allow their broswser to remember the a long-lived session cookie, otherwise if they're using it infrequently, they're going to forget their pas... | 11:45 |
| sixwheeledbeast | Your requiring the need for email and browser which maybe inconvenient. i don't want my browser to remember any cookies between sessions. | 12:05 |
| sixwheeledbeast | A password is providing a weak form of 2FA. If your email is compromised then you validate all sessions from there its a single point failure. | 12:08 |
| sixwheeledbeast | Also i believe we where referring to security more generally so logging into the system in the first place for example. | 12:10 |
| Maxdamantus | No. Allowing a password is a weakening of the system. 2FA is about requiring an *extra* requirement for authentication. Most password systems are about providing an *alternative* requirement for authentication. | 12:25 |
| Maxdamantus | Since most password systems allow you to authenticate if you've forgotten the password. | 12:25 |
| Maxdamantus | So the password is not actually required, it's just a way of access the system quicker. | 12:26 |
| Maxdamantus | 2FA requires 2 factors when authenticating. Password systems usually allow you to authenticate using only one factor (the password). Those systems also usually allow you to authenticate using the email, but they don't require you to authenticate using both. | 12:29 |
| Maxdamantus | So again, you've got two alternative ways of accessing the system, therefore it's strictly weaker. | 12:29 |
| Maxdamantus | and passwords seem like a very weak system. | 12:29 |
| Maxdamantus | Since people reuse passwords all the time. | 12:29 |
| Maxdamantus | > If your email is compromised then you validate all sessions from there its a single point failure. | 12:31 |
| Maxdamantus | Most password systems allow you to recover if you have access to email. | 12:32 |
| Maxdamantus | So by having a password, they're not protecting against that. | 12:32 |
| Maxdamantus | It's like allowing your friend into your house by opening the door for them (you are the primary authority), and then for convenience you can give them a door key. | 12:37 |
| Maxdamantus | Giving them a key is a weakening of security. | 12:38 |
| sixwheeledbeast | Not protecting no, but not providing access to everywhere else. If you have forgotten a password you would have to validate in the same way as registering the account in the first place and this would clear the password. | 12:38 |
| Maxdamantus | Right, so why not just require them to validate the same way each time they log in? | 12:39 |
| Maxdamantus | Instead of giving out extra keys that can be used to bypass the primary authority mechanism? | 12:40 |
| sixwheeledbeast | Well because it inconvenient just like never leaving your house so you can let your friend in. | 12:40 |
| sixwheeledbeast | to use your analogy | 12:40 |
| Maxdamantus | Right, so it's a convenience feature. It's a weakening of security. | 12:40 |
| sixwheeledbeast | I don't agree. It's systematically not compatible with people but itself it isn't a weakness IMO. | 12:42 |
| Maxdamantus | If it's a site that's used once every month or two, you might as well just have that initial validation as the way people log in, because it's likely that at that length of time, it's going to be more annoying trying to memorise a password than checking an email. | 12:42 |
| Maxdamantus | It's clearly a weakness. You still have the alternative way of authenticating (using email or whatever). Like the door analogy, you can still ask your friend to let you in. | 12:43 |
| Maxdamantus | But having a password/key is an extra vulnerability that can be exploited by others. | 12:44 |
| Maxdamantus | You could accidentally leave your key somewhere, or you could reuse a password, or you could enter your password into another website as you're trying to remember their password. | 12:44 |
| Maxdamantus | the password/key is a way of bypassing that primary authority mechanism (asking the friend, or verifying an email address) | 12:45 |
| sixwheeledbeast | As I say it not just about websites, you have security before you even get to a browser or email client. Using passwords incorrectly is down to the user not the method. | 12:46 |
| Maxdamantus | I'm not opposed to passwords overall. I just think most of them are useless. | 12:47 |
| Maxdamantus | There are relatively few things that should actually use passwords. That does not include most websites. | 12:47 |
| Maxdamantus | Most websites ultimately authenticate using email validation. Obviously if you're talking about access to an email account, or access to some system using ssh, you're not ultimately using email validation, so a password might make sense in those situations. | 12:48 |
| Maxdamantus | s/useless/useless and a security liability/ | 12:49 |
| infobot | Maxdamantus meant: Most websites ultimately authenticate using email validation. Obviously if you're talking about access to an email account, or access to some system using ssh, you're not ultimately using email validation, so a password might make sense in those situation... | 12:49 |
| sixwheeledbeast | You can't expect to validate every session via email on every site everytime you start a new browsing session. | 12:52 |
| Maxdamantus | Then remember the session. | 12:55 |
| sixwheeledbeast | The overhead created both ways would be ridiculous, also your email would not be protected via HTTPS. Leaving your browsing session open would be like leaving your front door open. | 12:55 |
| Maxdamantus | You mentioned password managers before. Where is the password being saved? | 12:56 |
| sixwheeledbeast | encypted somewhere else | 12:56 |
| Maxdamantus | Encrypted using what? | 12:56 |
| Maxdamantus | To the extent that most people use password management, it's just making the password accessible to the browser. | 12:57 |
| Maxdamantus | Might as well just store cookies instead. At least cookies are essentially forced to be randomly generated instead of potentially reused across different websites. | 12:57 |
| sixwheeledbeast | Encrypted with whatever the latest standard is an stored away from the session. | 12:58 |
| Maxdamantus | It would be fine if passwords were also required to be randomly generated (as often happens when people use more advanced password managers), but the point of a password is generally that the user is able to choose a common phrase that they can remember. There's nothing preventing them from reusing that phrase across different sites. | 12:58 |
| Maxdamantus | What's the difference between encrypting the password and encrypting the cookies? | 12:59 |
| Maxdamantus | (When I said "encrypted using what?" I meant: what is the source of the encryption key. You can't just encrypt something and then claim you've added security. If you store the encryption key next to the encrypted data, there's no added security.) | 13:01 |
| sixwheeledbeast | I am not saying the are perfect and that the system systematically helps people use them correctly. | 13:02 |
| Maxdamantus | If passwords are being encrypted using, eg, the user's OS password (so the actual key is encrypted using the user's OS password), browsers might as well just be doing the same thing with their cookie stores. If you forget your OS password, you lose access to your cookies. | 13:04 |
| sixwheeledbeast | Well you could be flexible the key can be anything:- psychical hardware, a piece of data, a "strong master password" that is only knowledge and not used elsewhere. | 13:04 |
| Maxdamantus | imo that's a pretty decent system. | 13:04 |
| sixwheeledbeast | Ultimately my ideal solution is a device combined with a password. (something I have and something I know). Which is pretty much what i have now, the random passwords that the manager makes up mean nothing to me or anyone. | 13:11 |
| Maxdamantus | Sure, so that's not really a password. It's still probably a weakening of the system, but it's not as weak as a typical password setup. | 13:13 |
| Maxdamantus | (typical password setup as in where the user remembers a password and types it in each time) | 13:13 |
| sixwheeledbeast | the issue with cookies is being tracked, you have no easy control over saving just the password and not the rest of the session to login quickly. | 13:14 |
| sixwheeledbeast | Yer i see what you mean from the POV of I am using the "Password" box as a "Key" so it's not really a "password" | 13:16 |
| sixwheeledbeast | I have never considered a password to be a "password" it's just a string of memorable characters. | 13:19 |
| Maxdamantus | also, in cases where websites do legitimately need to use actual passwords, I want there to be some sort of augmented PAKE system (eg, SRP or OPAQUE). It requires support from the web browser or OS, but it means it's not unsafe to, eg, reuse a password across multiple sites. | 13:20 |
| Maxdamantus | I imagine the main issue with PAKE is getting a UX that people learn to use properly, so they're informed that the browser/OS is asking for the password instead of the website. | 13:21 |
| Maxdamantus | imo SRP would also be suitable in place of ssh password authentication. | 13:25 |
| sixwheeledbeast | They are not going away, as other options all have equal flaws or implementation issues. | 13:25 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!